Configure interdependent security groups in AWS VPC
In the AWS VPC, I added a security group for the database access that allows any request from a specific CIDR IP on port 3306. This CIDR IP includes private subnets as well as public subnets. A public subnet is allowed so that database can explicitly be connected to developers machines using bastion host (EC2 instance configured on VPC's public subnet and assigned an IP from Amazon's pool of public IPs).
Ideally, services on a private subnet should able to connect to a database.
- Rather than defining the network mask from where the connection is allowed in one security group, is there any elegant way to do it (probably by creating two security groups as defined in this AWS document)?
- Database should connect only on 3306 port but services should be allowed to use any port for the database access. How to configure a security group to achieve this? For example, one security group that allows requests on only 3306 port (this security group can be attached to the database). And, another security that allows connection to all ports (this security group can be attached to microservices instances). Somehow this microservice security group should be mapped to a database security group in such a way that no matter on what port request is coming from it should in turn call database security group on 3306 port. Can this be done?
Tried something along this line:
DBConnectableSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
VpcId: ...
GroupDescription: Allows for connection to the DB cluster.
ServerlessDBSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
VpcId: ...
GroupDescription: Defines rules for connecting to the DB cluster.
OutboundRule:
Type: AWS::EC2::SecurityGroupEgress
Properties:
IpProtocol: tcp
FromPort: 0
ToPort: 65535
DestinationSecurityGroupId: !GetAtt ServerlessDBSecurityGroup.GroupId
GroupId: !GetAtt DBConnectableSecurityGroup.GroupId
InboundRule:
Type: AWS::EC2::SecurityGroupIngress
Properties:
IpProtocol: tcp
FromPort: 3306
ToPort: 3306
SourceSecurityGroupId: !GetAtt DBConnectableSecurityGroup.GroupId
GroupId: !GetAtt ServerlessDBSecurityGroup.GroupId
App-SG -- Inbound Rule
DB-SG -- Inbound Rule (source is pointing to App-SG)
App-SG and DB-SG -- Outbound Rule
Now I associate App-SG with an application. This application can successfully connect to the database on port 3306 (same as configured in Inbound Rule of DB-SG).
I associate App-SG with another application. This application uses a different port to connect to the database, port 3310. As App-SG allows all ports, I expect this to connect to the database but this does not work and the connection is refused.
The preferred configuration is:
- A security group on the application resource (
App-SG) with appropriate inbound permissions to use the application, and the default All Outbound permissions - A security group on the database (
DB-SG) that permits inbound connections on the database port fromApp-SGand All Outbound
That is, DB-SG specifically references App-SG in its inbound rules. This way, any resource that is associated with App-SG will be allowed to communicate with the database. This method avoids having to specify IP address and CIDR ranges and any new resources that use App-SG will automatically gain access to the database.
- How to use MFA with AWS CLI?
- How do I get the URL for the item using the Amazon API
- How to make links work with exported sites when hosted on AWS Cloudfront?
- Error launching CloudFormation Template for CloudHSM
- Glacier as Resource in CloudFormation template?
- how to secure keys for API calls from android device to amazon services
- Why is this IAM policy denying access with an MFA session?
- AWS Lambda Function Trigger API Gateway Issue
- GetMyFeesEstimate API Amazon vba
- AWS Cloudformation !Ref SecurityGroup returns an invalid ID
- How to set up AWS Client VPN with Keycloak as IdP
- How to view/identify which process taking how much memory?
- using bottlenose in python to extract product price from Amazon in different locale
- Unable to delete cfn stack, role is invalid or cannot be assumed
- How to Set Up Account Linking for a Skill using Alexa API from Amazon?
- GitHub actions "aws: not found" error on ubuntu-latest with Godot CI
- Download file from S3 to Rails 4 app
- Cloudfront (CDN) with Internal Application Load Balancer
- Connecting private load balancer to cloud front distribution?
- Request to Amazon API with delphi : Got HTTP/1.1 403 Forbidden
- Amazon QuickSight Connects Over Internet Instead of VPC to Public Redshift Cluster
- Shift Lambda infrastructure to ECS
- IAM policy to allow EC2 instance API access only to modify itself
- How to match these 2 tables?
- What is the best way of getting files from AWS S3, inserting them into zip and uploading that zip to the bucket?
- What does this mean? An error occurred (SignatureDoesNotMatch) when calling the GetCallerIdentity operation: Signature expired
- AWS ElastiCache in cluster mode has no Primary / Reader endpoints
- How to query: filtering on multiple primary partition keys and range on primary sort key
- How can I get boto3 script to run as a Lambda function?
- Testing AWS CDK Applications Locally