I have a loadbalancer classic2-**.us-east-1.elb.amazonaws.com and its public , i have whitelisted the port 443 and 80 for all connection and was connecting fine from another public ec2 server as expected :
...
ec21~]#telnet classic2-**.us-east-1.elb.amazonaws.com 80
Trying ***...
Connected to ec2-***.compute-1.amazonaws.com.
Escape character is '^]'.
...
Later I changed the incoming security gruop for the loadbalancer for port 80 and allowed only ec2 to access port 80 for the loadbalancer. For that I have edited the security group for the loadbalancer inbound rule and added source as ec2 security grop name (sg-****). After saving that rule I tried telnet to port 80 from ssh to loadbalancer but its not accespting the connection :
....
# telnet classic2-**.us-east-1.elb.amazonaws.com 80
Trying ****...
telnet: connect to address ****: Connection timed out
....
Not sure why its rejecting. Both instance and elb are in public subnet and elb not working with ec2 instance security group as source.
Any advice, thanks
I suspect that the Load Balancer is configured as a Public Load Balancer. As a result, the DNS Name will resolve to a Public IP address. Therefore, the telnet connection will be connecting to the Public IP address of the load balancer. (You can test this by resolving the DNS Name to an IP address, such as using nslookup or even ping.)
However, when one security group refers to another security group, it permits the connection via a Private IP address because it expects the connections to happen totally within the VPC.
There are two ways to resolve this: