Apart from creating security groups that opens up a set of TCP or UDP ports for a range of IP-addresses (CIDR-based like in the previous scenario) it is also possible to reference other security groups when opening up ports. This can be very practical if the user, for instance, has a set of frontend servers and backend servers which should have the same ports open between them. Let's say we have two classes of instances:
| open for HTTPS traffic (TCP port 443) from the whole world | allow MySQL traffic from the frontends (TCP Ports 3306) |
The frontend servers security group the user can create as in the former scenario, that is a security group called "frontend" with one rule in it that allows TCP port 443 from 0.0.0.0/0 (all IP-addresses):
The backend servers security group can use the clever trick with referencing other security groups:
If the user then applies the frontend group to the frontend and backend groups to their corresponding instances you will open up for the correct ports to the different set of servers. The clever thing is that if the user would add more frontend instances the user would only need to add it to the frontend group and all communication that applies for the other instances would apply to the new one. The same goes for a new backend instance, you would only need to add it to the backend group and all communication would work just as expected.