AWS internal communication between 2 EC2 servers

0

Our infrastructure is in AWS. We use AWS Security Group to define inbound/outbound traffic rules. Our servers are ip restricted, as in only traffic from one particular ip is allowed as per the Security Group rule.

Say, we have 2 EC2 apps that serve web traffic. And, as per the Security Group rule, only traffic from that one ip is allowed to these servers on port 80 and 443.

We now need for these apps to communicate with each other, i.e. send each other HTTP requests. We want the 2 apps to communicate with each other internally because they belong to the same Public Subnet and VPC. If the communication is not internal, traffic from one app would reach the other app via the internet, and this would not be allowed by the existing Security Group rules.

Is trying to keep the communication internal between the 2 apps the standard way? I need some guidance on how to best implement this idea.

2 Answers
1

As the Ec2 instances belong to same subnet, they can communicated internally using private IPs. If you are using the same Security Group for both the EC2 instances, you dont need to do anything. For the ALB security group all communication from Ec2 security group and same for the Ec2 security allow communication from ALB security group.

AWS
Rishi
answered 2 months ago
  • @rishisra for the ALB, I should not reference the private IPs because they are likely to change. Isn't it? So, how do I reference the ALB from the other app so that EC2 <-> ALB communication is internal? If I use the DNS name of the ALB, then that routes via the internet.

  • @prasvin Sorry was not clear, no point in accessing the ALB through private IPs. Is it possible to use an internal ALB for private communication?

  • @ rishisra I used an internal ALB for private communication. Thanks for the help.

0

Since the two EC2 instances are on the same subnet and on same VPC, they can communicate using their Private IPs without routing via the Internet. If you are using the same Security Group for both the EC2 instances, you will need to add an Inbound rule in the security group that references the same security group as Source for the required port (by default there is a rule for All/All Outbound, if not, a corresponding Outbound rule is required.). If you are using two different Security Groups for the two EC2 instances, you need to add appropriate Inbound/Outbound rules that reference each other for the desired port.

AWS
dsp
answered 2 months ago
  • @dspaws Thanks for your answer. I was trying this out earlier and sort of did the same as suggested. However, when I added an application load balancer (ALB) to one of the app, it got a bit more complex. The private IPs would work for standalone servers. However, for an ALB, the internal IP of the network interfaces could change because as the load balancer scales more instances up and down, it's not guaranteed to get the same IPs

  • You can use the ALB's FQDN url to communicate and even though it resolves to the Public IP, the traffic will remain on AWS's private network as both the source and destination instance/service are hosted on AWS:

    See the answer to the question below in this FAQ: https://aws.amazon.com/vpc/faqs/

    Q. Does traffic go over the internet when two instances communicate using public IP addresses, or when instances communicate with a public AWS service endpoint?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions