Creating the Security Group for Intra-VPC Communication

The intra-VPC security group (SG) is dedicated to resources inside the VPC, and will allow unlimited communication between them. It will also allow outbound connection to the HTTP and HTTPS worldwide.

To create the security group for intra-VPC communication, use the same steps for creating the bastion's security group. However, for the new group, change the description of the security group to an appropriate value, such as <cluster name> intra VPC SG.

• Note the group's name and ID to the AWS worksheet.
• Remove the default wide-open outbound rule. Repeat the process you performed for the bastion security group, of course using the newly-created intra-VPC security group ID.

Add inbound rule from itself

For communication between intra-VPC resources, we will add a rule enabling all communication coming from this security group. For example:

aws ec2 authorize-security-group-ingress \ 
--group-id <security group ID> \ 
--protocol all \ 
--port -1 \ 
--source-group <security group ID>

Where <security group ID> is the ID of the newly-created intra-VPC security group.

Add HTTP and HTTPS outbound rules

For retrieving external resources (such as for OMT) and product images from the ECR, OS updates, and similar files, resources inside the VPC need to be able to connect using HTTP/HTTPS on the internet. Repeat the process you performed for the bastion security group.

To add outbound rule to itself, run the following command:

aws ec2 authorize-security-group-egress \
--group-id <security group Id> \
--protocol all \
--port -1 \
--cidr <VPC CIDR>

• <security group ID>: Use the ID of the newly-created intra-VPC security group.

• <VPC CIDR>: Use the same CIDR you used for creating the VPC.

Next Step: IAM Roles