How do I add a nested security group to another security Group and have it work with an Application loads balancer?

1.1k views Asked by At

I have an ALB with a SG (ALB_SG) that I want to give access only to a list of IP's already defined in another SG (Whitelist_SG) in the same VPC.

I have created 2 (relevant) ingress rules for the ALB_SG.

  1. 443 ingress from Whitelist_SG
  2. 80 ingress from Whitelist_SG

In the Whitelist_SG I have a list of ingresses from relevant CIDR blocks that allow all ports.

When I access the ALB I am timing out (sign of bad SG). If I add the Whitelist_SG directly to the ALB it works.

What am I missing to make the nested rules work?

As an aside I know that when I add the Whitelist_SG to a EC2 instance via a nested rule I also have to add it to the instances Network adapter. I am assuming its something like that here.

1

There are 1 answers

1
Mark B On BEST ANSWER

AWS security groups don't work in the way you are trying to use them. There is no concept of "nesting" or "chaining" security groups like you are attempting.

The ability to reference one security group from another security group only works to allow members of one security group to access the members of the other security group. Security group membership only applies to resources like EC2 instances, Lambda functions, etc., that are running within your VPC (or a peered VPC).

For example, adding your laptop's IP address to security group A just gives your laptop access to anything security group A is directly attached to. It does not make your laptop a "member" of security group A.