My understanding of AWS Security Groups is that it is essentially a whitelist.
Everything is blocked unless explicitly allowed.
Let’s say hypothetically that I have some EC2 instances setup with autoscaling.
In the context of autoscaling, I won’t necessarily know what those future IP’s will be.
Say I have a set of EC2 instances that are used for databases like mysql or mongodb.
I want to only allow my application servers to be able to access my database servers.
Is there a way to create a tag for an EC2 instance and per the security group, allow any EC2 instance with a certain tag?
How is this usually done in the real world?
Thanks in advance
Looks like you can use security groups as classifiers and use the security group ‘id’ for the ‘Source’ field.
For example:
Say you had a cluster of web servers who belong to a ‘web’ security group (sg-12345)
Say you had a cluster of database servers who belong to a ‘db’ security group (sg-23456)
You can have the ‘db’ security group allow port 3306 to sg-12345 and as long as new instances are brought up in the ‘web’ security group, they’ll have access to ‘db’ on the port 3306