I'm new to AWS and trying to learn how to create template for stack in CloudFormation.I have two security groups for the instance and for the database.
"InstanceSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Enable tomcat, ssh, mysql access via port 8080, 22, 3306 as well",
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 8080,
"ToPort": 22,
"CidrIp": "0.0.0.0/0"
},
{
"IpProtocol": "tcp",
"FromPort": 3306,
"ToPort": 3306,
"SourceSecurityGroupId": {"Ref":"DatabaseSecurityGroup"}
},
{
"IpProtocol": "tcp",
"FromPort": 22,
"ToPort": 22,
"CidrIp": "0.0.0.0/0"
}
]
}
},
"DatabaseSecurityGroup": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Enable mysql database access to instance and back via port 3306",
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"FromPort": 3306,
"ToPort": 3306,
"SourceSecurityGroupId": {"Ref": "InstanceSecurityGroup"}
}
]
}
}
Should I use "dependsOn" attribute or it below code gonna work? Should I use "AWS::EC2::SecurityGroupIngress" insted "standard" SecurityGroup?
CodePudding user response:
It appears that your configuration is:
- An Amazon EC2 instance
- A database that should permit inbound access from the EC2 instance
For this, you would configure:
InstanceSecurityGroupthat permits Inbound access for SSH and "All Outbound" accessDatabaseSecurityGroupthat permits Inbound access on port 3306 fromInstanceSecurityGroup
There is no need to permit inbound access from the database to the EC2 instance. Security Groups are stateful, meaning that return traffic is automatically permitted. The database will never initiate a connection to the EC2 instance, so an Inbound rule is not required.
Thus, you will not have two security groups referring to each other.