Good day,
If one is provisioning an EC2 instance (serverA) that receives TCP traffic on port 8000 from a handful of yet to be provisioned EC2 instances (serverB, serverC, etc), what is the best practice for configuring security groups on serverA?
Security group: serverA_sg
Source: CIDR block that encompass serverB/C and any future instances of the same type
Port range: 8000
CIDR block would have to be at least /24 due to the fluidity of the environment.
or
Security group: serverA_sg
Source: serverA_sg
Port range: 8000
Then assign "serverA_sg" to serverB/C when they are provisioned? I assume the negative here is that the "client" instances will also then be available on 8000.
or something else entirely?
Thank you!
You are very close with your 2nd option. The best practice would be:
Rule1:
Security group: serverA_sg
Source: serverB_sg
Port range: 8000
Rule2:
Security group: serverA_sg
Source: serverC_sg
Port range: 8000
Then assign "serverB_sg" to serverB, and assign "serverC_sg" to serverC.
Best practices within the VPC is to use security group references instead of CIDR blocks. And each logical group of servers should have their own separate security group to control exactly which ports are open, and to allow changing the ports allowed in that group without affecting other server groups.