Security Group Chaining
💡 Definition
Security Group Chaining is a security practice where you configure a Security Group's inbound rule to accept traffic only from another specific Security Group, rather than from a range of IP addresses.
🔑 Key Concepts
- Reference by ID: Instead of entering a CIDR block (like
10.0.0.0/16) in the source field, you select the Group ID of another Security Group (e.g.,sg-12345). - Dynamic: It automatically allows traffic from any resource associated with the source Security Group, regardless of its IP address. If the IP of the source resource changes (e.g., an Auto Scaling instance), the rule still works.
- Tiered Security: Essential for multi-tier architectures (Web Tier -> App Tier -> DB Tier).
⚙️ How it Works
- ALB SG: Create a Security Group for your Load Balancer allowing inbound HTTP from
0.0.0.0/0. - Web SG: Create a Security Group for your Web Servers. Add an inbound rule allowing HTTP from ALB SG.
- Result: Your Web Servers will only accept traffic that has passed through the Load Balancer. They are effectively invisible to the direct internet on that port.
🎯 Use Cases
- Load Balancing: Ensuring users cannot bypass the Load Balancer to hit instances directly.
- Database Access: Allowing only the App Server tier to access the Database tier.
💰 Pricing Model
- Free feature of Security Groups.
📝 Exam Tips (CLF-C02)
- "Best Practice" for securing multi-tier applications.
- Look for scenarios where you need to allow traffic from another AWS resource (like a Load Balancer) specifically.
- Eliminates the need to manage lists of internal IP addresses.
See Also: * Security Group * Load Balancer