I have a ec2 instance that is running a website and associates ALB.
normally as a practice inside the ec2 instance security group, alb security group is referenced, but here the client has a configuration in such a way that inside ec2 instance the source is name of the security group itself.
security group for ec2 instance whose name is
sg-0bc7e4b8b0fc62ec7 - default
As per my understanding of aws security group, under an inbound rule when it comes to source, we can mention IP address, or CIDR block or reference another security group.
But what does this mean for an inbound rule where ALL traffic, all ports are allowed but for source = sg-0bc7e4b8b0fc62ec7 / default.
I am confused with usage of the same name of the security group as source, what this rule will mean?
Each VPC has a default security group (SG). In this SG, inbound rule allows all incoming traffic from "itself". This means that
When you specify a security group as the source for a rule, traffic is allowed from the network interfaces that are associated with the source security group for the specified protocol and port.
In other words, if you have two instances that use the default VPC SG, they can only communicate with each other. No other inbound traffic is allow to either instance.
The use of SG as source is a good practice and if often used between load balancer (LB) and its instances, or between instances and RDS database. In the first case the instances allow incoming traffic only from the SG of the LB, while in the second case, db instance allows incoming connections only from SG of the instance.