Context: I created a MongoDB server in a EC2 but I want to "lock" the IP connections to just the ECS cluster to connect it. But I don`t know and I didnt find it too which IP I put in EC2 Security Group to allow inbound network.
The current inbound network is 0.0.0.0 but it is kinda bad practice. I dont know if I put the IP of the VPC or the IP of the SG. The EC2 must be in the same VPC, VPN, SG, ELB of the ECS? How does it works? thanks
I tried to put the IP of the SG but it says that I cant because they are not "in the same network". I searched about but I dont know what exactly it means.
CodePudding user response:
You should use security groups not IP addresses, that way if you change machines in your cluster access will still be permitted.
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html
I typically do this with security group references rather than IPs. Make sure each resource (ECS) is assigned a security group that isn't used for anything else - ie not the default SG. Default works but it's not good practice and it's more difficult to keep track of.
You need to put in matching security group rules to allow traffic out from ECS to the EC2, and into the EC2 from ECS:
- ECS SG: allow outbound connectivity to the EC2 SG on the required port.
- EC2 SG: allow inbound connectivity from the ECS SG on the required port.
Since security groups are stateful you don't need to allow incoming into ECS or outgoing from EC2.
If for some reason you need to do this with IPs make sure you use private IPs rather than public. In AWS public IPs are only translated in the internet gateway, they're not used within the VPC.