Create AWS EC2 security group open only to internal VPC instances and a single external service

Question

I have a single Elastic Beanstalk instance which functions as the Admin dashboard rendering HTML templates and data fed from the database. This and the database are within a specific VPC.

Also within the VPC i have another single instance Elastic Beanstalk application which functions as a web socket client saving data from an external service into the database. Those are the ingestion feeds in the diagram below.

The Ingestion feeds have HTTP Rest endpoints i can hit from the admin dashboard which start/stop the ingestion feeds.

The problem i'm having is how to close off the Ingestion Feeds from outside of the VPC. I'd like it to only connect from the Admin Dashboard Elastic Beanstalk apps.

But i also want them to be able to connect to the external service via web sockets.

Answer 1

This should meet your requirements:

Admin Dashboard server: Security Group A

• Inbound rule allowing traffic on whatever port(s) your dashboard is served on, probably port 80 and/or 443.
• Default outbound rules

Ingestion Feeds server: Security Group B

• No inbound rules (see note below)
• Default outbound rules

Database server: Security Group C

• Inbound rule to allow instances belonging to Security Group A access to the database port
• Inbound rule to allow instances belonging to Security Group B access to the database port
• Default outbound rules

Note:

From the documentation:

Security groups are stateful — if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. Responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules.

This should allow your Ingestion Feeds service to create a connection with the External Service and receive responses on that connection without any Inbound Rules assigned to the Ingestion Feeds instance.