Chaining security groups

926 Views Asked by At

I have been looking all around why something which I believe should work, does not. Here's a breakdown

  • I have a bastion with publicly assigned IP in that's security group enables all egress traffic. There's also this, sort of a point to the question:
  FooSSHIngress:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      IpProtocol: tcp
      FromPort: 22
      ToPort: 22
      GroupId:
        Fn::ImportValue: !Sub "${FooStackName}-AdminSecurityGroup"
      SourceSecurityGroupId: !Ref BastionSecurityGroup
      Description: Enables SSH to FooService

So I am trying to allow connections coming from BastionSecurityGroup@22 to reach another security group that's called AdminSecurityGroup fro FooStack.

AdminSecurityGroup can be found below. Is is obviously empty, but bear with me. The point was to have a security group that can be linked somewhere to enable SSH access.

  AdminSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: >-
        For FooService admin access.
        Grants access to EC2 instances over SSH.
      VpcId:
        Fn::ImportValue: !Sub "${VpcStackName}-VPCId"

Anyway, that group above is later on linked to SecurityGroup being finally referenced in AWS::EC2::LaunchTemplate. It's definition is below:

  ServerSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Enable Client and Admin access
      VpcId:
        Fn::ImportValue: !Sub "${VpcStackName}-VPCId"
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: !Ref ClientPort
          ToPort: !Ref ClientPort
          SourceSecurityGroupId: !Ref ClientSecurityGroup
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          SourceSecurityGroupId: !Ref AdminSecurityGroup

As you can see there's also ClientSecurityGroup that follows the same pattern.

Finally, questions are:

  1. Does it make sense?
  2. Why does it not work? By my knowledge, having security group like so should result in routing traffic through ENI. But somehow it does not.
  3. Funny thing is that if I replace AdminSecurityGroup with ServerSecurityGroup, for bastion, connection is possible. Obviously that is followed by removing AdminSecurityGroup and ClientSecurityGroup from FooStack (no point in having those anymore).
  4. Why everything kicks in if all security groups of Foo are referenced inside of LaunchTemplate ?
0

There are 0 best solutions below