How to allow interaction between EC2-instances in the same firewall-group

Situation

Let's take the following design:

App servers      DB servers
- Server A       - Server X
- Server B       - Server Y
- Server C       - Server Z

Every app server is in both the app-server-group and the db-server-group. Every db server is only in the db-server-group.

Though I assumed servers in the same firewall group would be able to connect to each other, it turned out they don't :p.

Requirities

• Server A, B and C should be able to connect to X, Y, Z
• Server X, Y and Z shouldn't be accessible at all from outside the db-server-group.
• Server A, B and C should be accessible (at port 80) from outside the app-server-group.
• Server A, B, C, X, Y and / or Z should never be hardcoded. So I don't want any exception [A, B, C, X, Y, Z]-firewall rules. Thi开发者_如何学Cs is because it needs to be fault-tolerant and auto scalable. It could happen that A goes down, and an identical instance D (with a new IP) goes up, it should be able to connect to X, Y, Z instantly, without changing firewall-rules. So no IP-aliases (elastic IPs) either ...
• As long as IPs aren't hardcoded, I'ld be able to use IP-tables for this.
• Using authentication (by user/pass) for X, Y and Z are no option. The underlying database doesn't provide this.

Question

How can I make this work =)?

you are right, all servers assigned to the db-server-group should be able to access the ports that are open on all servers in the db-server-group SG. Are you sure you opened the right ports? Are you sure that you don't have the firewall on the boxes themselves blocking you (i.e. Windows Firewall if you're running windows).

From your requirements, it doesn't sound like you want to have your App servers in the Db servers security group. You can just open ports on the db-server-security group to the app-server-group. The source for that rule would be something like sg-xxxxxxxx not an IP address. You would find that sg-xxxxxxx value on the details tab of the app-server-group in the AWS management console called the "group id". If you're running MS sql server, you need to allow tcp traffic on 1433. As you want, no IP addresses or other authentication would be involved in allowing the traffic through.

you would then have port 80 on the app-server-group open to source 0.0.0.0.