I have two Elastic Beanstalk applications "a" and "b". Anyone should be able to talk to (a) over http, but only (a) should be able to talk to (b). I.e.
internet -> a -> b
Right now, everything works if both apps are fully open to the internet. But as soon as I try to restrict the security group for (b)'s ELB, (a) can't seem to connect anymore.
I.e. If I allow (b)'s load balancer security group to allow http:0.0.0.0/0, everything works. But if I set that same security group to allow only http:[(a)'s security group], (a) can no longer communicate with (b).
Both apps are in the same VPC. What am I missing?
CodePudding user response:
This is because your second environment has an external load balancer. That means the traffic from environment A to environment B will exit the VPC and come back in, at which point the association with environment A's security group is lost.
You need to convert environment B to use an internal load balancer. The Elastic Beanstalk setting for that is:
Namespace: aws:ec2:vpc
Name: ELBScheme
Value: internal