I am reading the AWS Certified Solutions Architect Official Study Guide book, and I came across the following information (see attached). My question is this: does the highlighted text mean that I can control if the traffic to my EC2 can only come from an instance that is assigned to a certain security group? if so, can anyone please give a simple explanation or reference about that? Thanks.
Yes.
So a very good example of where you could use this is as follows.
You have a Load Balancer, L, and a set of EC2's, E
L has a security group Ls, which permits ingress on port 443 to everywhere.
You have something running on port 8080 on the EC2s, but don't want that publicly exposed.
You could assign a security group to the EC2s, Es, and say "permit port 8080 inbound from these CIDRs. But then you have to give an ip address range to permit ingress.
As an alternative, you can add a security group rule to Es that says "permit TCP 8080 from source security group Ls"
That means, inbound traffic to Es is only permitted if it originates from the Ls security group.
This is a very neat way to lock your EC2s down to the Load Balancer, without needing to specify the Load Balancer's IP address (that is, if it even has one)
