AWS Security Group
1. Introduction
Allow network connectivity by protocols, ports and IPs:
Inbound rules
Outbound rules
2. Reference
Security group rules
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules.html
3. Security group rules
Source or destination: The source (inbound rules) or destination (outbound rules) for the traffic to allow. Specify one of the following:
A single IPv4 address. You must use the /32 prefix length. For example, 203.0.113.1/32.
A single IPv6 address. You must use the /128 prefix length. For example, 2001:db8:1234:1a00::123/128.
A range of IPv4 addresses, in CIDR block notation. For example, 203.0.113.0/24.
A range of IPv6 addresses, in CIDR block notation. For example, 2001:db8:1234:1a00::/64.
The ID of a prefix list. For example, pl-1234abc1234abc123. For more information, see Prefix lists.
The ID of a security group (referred to here as the specified security group). For example, the current security group, a security group from the same VPC, or a security group for a peered VPC. This allows traffic based on the private IP addresses of the resources associated with the specified security group. This does not add rules from the specified security group to the current security group.
11. How-to
11.1. Access Security Groups
VPC > Security Groups
21. Use Case: Load Balancer > Target Group > ECS Service
Eg: sixqueue
A Load Blancer (type Network) can have up to 5 Security Groups, at least 1 is recommended.
If the LB has any SG then at least one of them needs to allow outbound connections to the ECS Service container, otherwire the Target Group Health Check will fail.
The Target Group associated to the LB must have a Health Check with enough time for the ECS Service container to start-up.
Otherwise the container will be killed and restarted indefinitively.
The ECS Service should have a Security Group with an ingress rule allowing connections from the Load Balancer (and Target Group health check)
The best way to achieved is to reference in the ingress rule the SG of the LB (referenced_security_group_id)