What is the purpose of a self-referencing security group?

Question

I'm working with some Terraform code which uses `self = true` in numerous Security Groups. I've asked my co-worker what the purpose of it is and they were not very certain. Only that it was there so the load balancer would work correctly.

I looked over the terraform documentation and it does not explain anything in detail:
`self - (Optional) If true, the security group itself will be added as a source to this ingress rule.` (https://registry.terraform.io/providers/rgeraskin/aws3/latest/docs/resources/security_group)

I have found some other information, in the context of EC2, which mentions this makes it possible for multiple EC2 instances to communicate with each other by applying the same SG to all instances.

What does this do and in what circumstances require it?

Accepted Answer

When you create an inbound security group rule you need to specify where the originating traffic is allowed is from. This could be an IP address, subnet, CIDR block, prefix list, or a security group. When you specify self = true, you are saying the originating traffic must come from some resource with that same security group applied. For example, an EC2 instance with that security group assigned would be able to reach another EC2 instance with that same security group.

https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html#security-group-referencing

What is the purpose of a self-referencing security group?

Relevanter Inhalt