Allow ELB connection just from instances in the same VPC, Subnet and Security Group
I am working fine with my current ELB, but for security reasons i want to restrict connections by allowing just instances in the same security group, so i created an aditional security group just for mange only the ELB, i have no problem while i allow 0.0.0.0/0 to the 443 port, but when i remove the rule i am losing the connection, if i allow the public ip of the instance it will work, but i have several instances so it is not an option, i also tried allowing private CIDR (10.0.0.0/24) of the instances and it does not work, and i also tried allowing same security groups with not success
Thanks in advance
The setup should be:
- A security group on the Amazon EC2 instances running your app (
SG-App) that permits incoming traffic from the appropriate locations to access the app - A security group on the Load Balancer (
SG-LB) that permits inbound connections on port 443 fromSG-App
That is, SG-App is permitting inbound connections from any instances associated with SG-App. This is much better than allowing connections "from the same security group" because the instances need different settings to the ELB.
When the instances resolve the DNS Name associated with the Load Balancer, it should resolve to a private IP address (10.0). You can test this by connecting to one of the instances and trying to ping/lookup the ELB DNS Name and seeing what IP address it is using.