What format to use when entering an IP address into an EC2 Security Group rule?

linux amazon-web-services ssh aws-security-group
Alagesan Palani picture Alagesan Palani · Oct 9, 2016 · Viewed 9.8k times · Source

I am trying to configure secure ssh connection from bastion host (located in public subnet) to private linux instances (located in private subnet) in the same VPC.

When I add a security group rule for my private linux instance, initially it shows the rule as:

enter image description here

enter image description here

Please note that before adding the IP address of the bastion host, the water mark shows "CIDR, IP or Security Group", but when I add the IP address of the bastion host, it throws error as:

The source needs to be a CIDR block or a Security Group ID.

Why is not allowing me to enter the IP address of the bastion host here?

Answer

John Rotenstein picture John Rotenstein · Oct 9, 2016

It appears that your situation is:

  • You have an EC2 instance ("Bastion instance") in a public subnet, and you are able to SSH to it
  • You have an EC2 instance ("private instance") in a private subnet
  • You are configuring the Security Group associated with the private instance to permit SSH access only from the Bastion instance

I note that you are entering a Public IP address (52.63.198.234) in the Security Group. You should actually enter the Private IP address of the Bastion instance. This way, the traffic between the instances flows wholly within the VPC rather than leaving the VPC (to access the public IP address) and then coming back in again.

Actually, the recommended way to configure this setup is:

  • Create a security group for your Bastion instance ("Bastion-SG")
  • Create a security group for your private instance(s) ("Private-SG")
  • Configure the Private-SG to permit inbound SSH traffic from Bastion-SG

By referring to the name of a security group, traffic will automatically be permitted from any EC2 instance that is associated with the named security group (in this case, any instance that is associated with the Bastion-SG). This means that instances can be added/replaced and traffic will still be permitted based upon the associated security group, rather than having to update specific IP addresses.

So, to answer your question... Yes, there are three ways to refer to the source. From the EC2 documentation Security Group Rules:

  • An individual IP address, in CIDR notation. Be sure to use the /32 prefix after the IP address; if you use the /0 prefix after the IP address, this opens the port to everyone. For example, specify the IP address 203.0.113.1 as 203.0.113.1/32.
  • An IP address range, in CIDR notation (for example, 203.0.113.0/24).
  • The name (EC2-Classic) or ID (EC2-Classic or EC2-VPC) of a security group.

So, the IP address actually has to use CIDR notation, with /32 at the end. If you think that this doesn't quite match the hint of "IP" (and I'd tend to agree with you), feel free to hit the Feedback button in the console and provide your feedback to the EC2 Console team.

Related questions

installing sshpass on amazon linux AMI based ec2 instance

I am planning to automate aws-rackspace server migration. I am following the official rackspace documentation(https://github.com/cloudnull/InstanceSync/blob/master/rsrsyncLive.sh) which uses rsync to migrate. I have modified the code to use sshpass to dynamically provide …

Read More
Setting up FTP on Amazon Cloud Server

I am trying to set up FTP on Amazon Cloud Server, but without luck. I search over net and there is no concrete steps how to do it. I found those commands to run: $ yum install vsftpd $ ec2-authorize default …

Read More
boto3 client NoRegionError: You must specify a region error only sometimes

I have a boto3 client : boto3.client('kms') But it happens on new machines, They open and close dynamically. if endpoint is None: if region_name is None: # Raise a more specific error message that will give # better guidance to …

Read More