DEVHIDE
Login Or Sign up

Chaining security groups

934 Views Asked by At

I have been looking all around why something which I believe should work, does not. Here's a breakdown

  • I have a bastion with publicly assigned IP in that's security group enables all egress traffic. There's also this, sort of a point to the question:
  FooSSHIngress:
    Type: AWS::EC2::SecurityGroupIngress
    Properties:
      IpProtocol: tcp
      FromPort: 22
      ToPort: 22
      GroupId:
        Fn::ImportValue: !Sub "${FooStackName}-AdminSecurityGroup"
      SourceSecurityGroupId: !Ref BastionSecurityGroup
      Description: Enables SSH to FooService

So I am trying to allow connections coming from BastionSecurityGroup@22 to reach another security group that's called AdminSecurityGroup fro FooStack.

AdminSecurityGroup can be found below. Is is obviously empty, but bear with me. The point was to have a security group that can be linked somewhere to enable SSH access.

  AdminSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: >-
        For FooService admin access.
        Grants access to EC2 instances over SSH.
      VpcId:
        Fn::ImportValue: !Sub "${VpcStackName}-VPCId"

Anyway, that group above is later on linked to SecurityGroup being finally referenced in AWS::EC2::LaunchTemplate. It's definition is below:

  ServerSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Enable Client and Admin access
      VpcId:
        Fn::ImportValue: !Sub "${VpcStackName}-VPCId"
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: !Ref ClientPort
          ToPort: !Ref ClientPort
          SourceSecurityGroupId: !Ref ClientSecurityGroup
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          SourceSecurityGroupId: !Ref AdminSecurityGroup

As you can see there's also ClientSecurityGroup that follows the same pattern.

Finally, questions are:

  1. Does it make sense?
  2. Why does it not work? By my knowledge, having security group like so should result in routing traffic through ENI. But somehow it does not.
  3. Funny thing is that if I replace AdminSecurityGroup with ServerSecurityGroup, for bastion, connection is possible. Obviously that is followed by removing AdminSecurityGroup and ClientSecurityGroup from FooStack (no point in having those anymore).
  4. Why everything kicks in if all security groups of Foo are referenced inside of LaunchTemplate ?
amazon-web-services amazon-ec2 aws-security-group network-security-groups
Original Q&A
0

There are 0 best solutions below

Related Questions in AMAZON-WEB-SERVICES

Related Questions in AMAZON-EC2

Related Questions in AWS-SECURITY-GROUP

Related Questions in NETWORK-SECURITY-GROUPS

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json python-3.x ruby-on-rails .net sql-server swift django angular objective-c pandas excel

Popular Questions

Copyright © 2021 Jogjafile Inc.