What is the preferred way to configure Amazon Security Groups to achieve a multi-tier architecture?
Each of my instances has its own Security Group, which I only want to use for rules specific to an instance. I'd like to keep any rules which apply to multiple instances in a separate Security Group, which can then be assigned to instance Security Groups as necessary.
As an example, I've setup a group called "admin", which allows administrative access from my IP. I added the "admin" group as the source to each of my instance security groups. However, I still can't access the instances from my IP without adding the rules directly to the instance's group.
Am I missing something? Although it seems a multi-tier security architecture should be possible, it doesn't seem to be working.
I have it set up as:-
Everything is assigned ssh and then each server get's what is required to do it's job. So one server has ssh, application and db so 1521, 42000-42300 & 22 are all opened.
Seems to work pretty well.
You can try adding the admin group to the instance-specific security groups. The section in the rules for a source IP address allows you to use the name of your other security groups. This is how you can get systems in different security groups to communicate as well.