Question

I have created an EC2 node: *node1 is security group SG1*
As in documents, it must be accessible from another EC2 node i.e., node2 (security group SG2) on port 9200.
Problem is: Whenever I try to add an inbound rule in SG1 using port 9200 & using SG2 as a source into the Custom IP section, I am not able to access node1 from node2.
Apart from that, if I am trying to specify an inbound rule in SG1 with source as 0.0.0.0/0 or IP of node2, it works fine.

Is there something wrong with my process ? or is it a universal problem?

Comments

Hey @Cloud gunner,

how did you solve this?

---

Hi@Naltlk,

If you are facing the same issue, then the most common mistake we do that we use the private IP instead of public IP.

Answer 1

Did you try to connect to node1's public or private address as mentioned in the documentation:

When you specify a security group as the source or destination for a rule, the rule affects all instances associated with the security group. For example, incoming traffic is allowed based on the private IP addresses of the instances that are associated with the source security group.
(From Documentation)
I've been a victim of this problem before while trying to connect to an EC2 instance's public address, it sounds quite similar to your setup, actually.

When you'll connect the inbound rule so that a source is a security group, you must communicate with the source instance's private address.

Some things to be aware of:

In EC2 Classic, private IP addresses can change on stop/start of an EC2 instance. If you're using EC2 classic you may want to look into this discussion on Elastic DNS Names for a more static addressing solution.
If you set up your environment in VPC, private IP addresses are static. You can also change security group membership of running instances.