Cascading Security Group Rules?

asked 2018-08-01 14:19:41 -0500

TonyG gravatar image

I'm trying to create a pattern of cascading security groups (like CSS) as follows:

  • Instance gets two security groups
    • Base
      • rule: Egress all for 0.0.0.0
      • rule: Ingress all for group Admins
      • Admins
        • rule: Ingress all for a.b.c.d
    • Public
      • rule: Ingress HTTP/HTTPS for 0.0.0.0

If a rule in the Base group references the group Admin, the IPs in Admin are Not allowed into the instance being defined. If that rule specifies a single IP, it works. The Admins group is a simple Allow Any protocols/ports Ingress for a specific IP.

So the cascade is :

Instance > Group > Rule > Group (fail)
Instance > Group > Rule > IP (succeed)

If I do not attempt to cascade to that third level, the Admin group does work:

  • Instance
    • Base
    • Public
    • Admins
      • rule: Ingress all for a.b.c.d

So it seems security groups only build two-levels deep. It could be much more powerful if it went deeper.

Is there any way to get around this?

edit retag flag offensive close merge delete