来源安全组工作不正常的AWS [英] Source security group isn't working as expected in AWS

问题描述

我有一个EC2节点，节点1（安全组SG1），这应该是从另一个EC2节点，节点2（安全组SG2）端口9200。现在，访问，当我加入SG1入站规则与端口9200，并指定SG2作为源的自定义IP段，我不能由节点访问节点1。在另一方面，如果我指定的SG1入站规则与源为0.0.0.0/0或节点2的IP，它工作正常。什么是错误的，我的做法？

I have an EC2 node, node1 (security group SG1) which should be accessible from another EC2 node, node2 (security group SG2) on port 9200. Now, when I add an inbound rule in SG1 with port 9200 and specify SG2 as source in Custom IP section, I can't access node1 from node2. On the other hand, if I specify an inbound rule in SG1 with source as 0.0.0.0/0 or IP of node2, it works fine. What is wrong in my approach?

推荐答案

您试图连接到节点1的公共或私有地址？从<一个href="http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html">documentation:

Are you attempting to connect to node1's public or private address? From the documentation:

当您指定一个安全组作为源或目标的   规则，该规则将影响与安全相关联的所有实例   组。例如，传入流量是基于私有允许   的实例与该源相关联的IP地址   安全组。

When you specify a security group as the source or destination for a rule, the rule affects all instances associated with the security group. For example, incoming traffic is allowed based on the private IP addresses of the instances that are associated with the source security group.

我已经烧毁这个之前通过尝试连接到一个EC2实例的公共地址......听起来非常相似，你的设置，其实。当连线了入站规则，使源是安全组，您必须通过源实例的私有地址进行通信。

I've been burned on this before by trying to connect to an EC2 instance's public address... sounds very similar to your setup, actually. When you wire up the inbound rule so that the source is a security group, you must communicate through the source instance's private address.

有些事情需要注意的：

• 在EC2经典，私有IP地址的EC2实例的停止/开始改变。如果你使用EC2的经典，你可能想看看弹性DNS名称此讨论一个比较静态的解决方案。
• 如果您在VPC设置环境，私有IP地址是静态。您还可以更改运行实例的安全组成员身份。

• In EC2 Classic, private IP addresses can change on stop/start of an EC2 instance. If you're using EC2 classic you may want to look into this discussion on Elastic DNS Names for a more static addressing solution.
• If you set up your environment in VPC, private IP addresses are static. You can also change security group membership of running instances.

这篇关于来源安全组工作不正常的AWS的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！