Does AWS Security Group see only Private addresses when it is specified as a source/destination in inbound or outbound rules?

Question

I have 2 instances in the same AZ and both have Public IP addresses. I have a added security group to both instances allowing inbound ICMP ping with source as same security group. When I ping the Private IP address, ping succeeds. However, when I ping the Public IP address, ping fails.

• Is the security group as a 'source' (or destination) limited only to the Private IPs of instances in that group? Why does security group as a 'source' not recognize Public IP addresses?

On the contrary when I change the source to be 0.0.0.0/0, pinging the Public IP succeeds.

Answer 1

Technically, the public IP address is not attached to the EC2 instance or its Elastic Network Interface (ENI). Inside the VPC, everything only knows and uses the private IP addresses. The public IP address is managed by the Internet Gateway, which translates the public IP into the private IP and vice versa for incoming and outgoing traffic.

This means when you ping the public IP of another instance, the packet leaves the Security Group towards the Internet Gateway, and then comes back in. So from the target instance’s perspective, it comes from the Internet and therefore is blocked by the Security Group.