I had created an VPC with public and private subnets. For public subnets I attached internet gateway for private subnets nat gateway, From here my plan is to launch all my instances in private subnet and connect them with outside world using elb, for that I launched my tomcat server in private subnet and attached to elb which is in public subnet and I launched mongodb in private subnet and public subnet elb is attached to it. Now when I call an API from tomcat server it should fetch the data from db, It's happening when I allow 27017 (port of mongodb) from anywhere in elb sg, Here is where I'm facing issue I don't want to allow the port from every where only tomcat servers should talk with the mongodb through elb how to configure security groups of elb to allow traffic from only tomcat servers.
Solution:
Since your tomcat servers are in a private subnet and it is trying to reach the mongodb ELB in a public subnet, the tomcast servers' outbound traffic must be routed through a NAT gateway (Not the ELB).
So instead of setting the security group to allow 27017 port from 0.0.0.0/0, you can allow 27017 port from the NAT gateway IP.
You will first need to check whether you are using the old-style NAT gateway instance or the new VPC NAT gateway solution in order to obtain the required IP address.
Suggestions:
First, you do not want to expose the traffic between your instance and your database to public internet. Use a private load balancer instead.
Second, you do not need an ELB for the mongodb cluster (I assume you have a cluster). The purpose of a Mongodb cluster is for high availability. Write always go to the primary, and it is a bad practice to use secondaries to increase performance for read requests.
You should setup mongos to accept connections and let it take care of the routing for you. In this case your tomcast servers can connect to the private mongos endpoint directly without exposing traffic to the internet.
If you are not using mongodb cluster (In this case I don't understand why you used a load balancer in the first place) then it is even simpler, just connect using the mongodb server private IP.