I have a simple setup -- one EC2 acts as a web server.
At first, I allowed only 1 set of IPs (the first office) to access the server, so I created a security group and allowed them to access the EC2 through HTTP and HTTPS.
A new office (with different IPs) now wants to access the webserver. What's the best way to do it?
What I have tried
Adding each IP to the original security group works, but I will have no idea which IP belongs to which office in a few weeks. Not sustainable.
I created another security group and added rules for HTTP/HTTPS for each new IP. Add IPs to inbound rule in new security group
Then I added the new security group to the original security group. Add new security group to original security group (The new security group is the first two rows in the screenshot)
I expected the EC2 instance to now allow the new IPs but it didn't. (Am I missing something here?!)
CodePudding user response:
- Adding each IP to the original security group works, but I will have no idea which IP belongs to which office in a few weeks. Not sustainable.
Each Security Group rule can have an optional description, up to 255 characters. So I suggest adding the office name as the description for each inbound IP address.
- I created another security group and added rules for HTTP/HTTPS for each new IP. Add IPs to inbound rule in new security group
Adding security groups to other security groups doesn't provide the functionality you are trying to achieve. It only allows AWS resources with one security group assigned to them to access resources with the other security group assigned to them. It doesn't allow all inbound traffic allowed in one group to also be allowed in the other group.