Search code examples
amazon-web-servicesamazon-ec2amazon-elastic-beanstalkamazon-vpcamazon-elb

Connecting from one AWS Elastic Beanstalk environment to another

I have 2 Elastic Beanstalk environments, "api-server" & "website". Both have a capacity of 1-4 EC2 instances and a load balancer. The load balancer and the instances have both public IP addresses. I want to connect from the "website" to the "api-server" but i can't get it to work without making the "api-server" public. The "api-server" should not be public.

I am connected with a VPN that is allowed HTTP connections to both EB environments and i can confirm that both apps respond.

Both EB environments have 2 security groups, one for the load balancer called "Load Balancer Security Group" and one for the instances called "VPC Security Group". All load balancer and VPC security groups have an outbound rule allowing all traffic on all protocols.

Since i want to connect from the "website" to any of the instances of "api-server" i want to connect to the load balancer and not to any of the instances directly. So i should add an inbound rule to the load balancer group of the "api-server" that allows traffic from the "website"'s instances.

/Screen Shot 2022-02-06 at 22.32.06.png

The instances all have the "VPC Security Group" but adding the rule did not give the "website" instances access to the "api-server". I also tried adding the load balancer security group without success. And i also tried the type "All traffic".

I also tried to connect to the "api-server" over different URLs like the load balancer but also no connection possible.

When i add a rule that allows traffic to everywhere, eg. source type "Anywhere-IPv4", i can access the "api-server" from the website. But as i said i don't want the "api-server" public it should be accessible only by the "website".

What also works is adding a rule with the IP address of the current "website" instance, but since they change with deployment of a new version and they are sometimes more or less instances (autoscaled from 1 to 4) its not an option.

So how does it work?

I searched everywhere in the docs but i can't find anything i didn't already tried. What am i missing? This surely shouldn't be so hard?

I appreciate every help!

Edit: Everything is in the same VPC.

Solution

  • So how does it work?

    Referencing security groups (SGs) works only withing VPC or peered VPCs. Since you are accessing your second EB over the internet, not within same VPC, you can't reference SGs.

    You have to whitelist public IP addresses of your instances. The best way is to put them in private subnet and use NAT gateway. The NAT gives you a single public static IP which you can use in your ingress rule of the second EB environment.