Russell Smith specializes in the management and security of Microsoft-based IT systems. In addition to blogging about Windows and Active Directory for the Petri IT Knowledgebase, Russell is a Contributing Editor at CDW’s Biztech Magazine. Russell has more than 15 years of experience in IT, has written a book on Windows security, co-authored one for Microsoft’s Official Academic Course (MOAC) series and has delivered several courses for Pluralsight.

Enable IP between VPC Instances in Amazon Web Services

In this easy Ask the Admin, I’ll show you how to configure security groups in Amazon Web Services (AWS) so that EC2 Virtual Private Cloud (VPC) instances can communicate with each other. In Manage IP Addressing with Virtual Private Clouds in Amazon Web Services on the Petri IT Knowledgebase, I provisioned virtual machines (Elastic Compute instances) in a VPC, so that the VMs would be assigned to the same internal private IP address each time they are started. This is especially important for servers that require a static IP address, such as Active Directory domain controllers.

In that article, I created an Internet gateway for the VPC and set up a new security group that would allow traffic from the Internet to reach instances on TCP port 3389 for Remote Desktop access. Security groups are locked down by default. Because security group configuration is applied to each instance, communication between instances in the same VPC is prevented. In AWS, network ACLs control the traffic allowed to reach VPC subnets, and security groups are used to protect instances.

Add Rules to a Security Group

For the purposes of this article, I’m going to assume that you already have a security group in your VPC, as described in the article mentioned above. If not, create a new group that allows RDP access to your instances. Don’t forget that you can have more than one security group, and instances connected to a VPC can be associated with different security groups. You will also need to have the AWS Tools for Windows PowerShell installed on your PC as described here in Provision Windows Server in Amazon Web Services using PowerShell. First, I need to establish the GroupId for myPSSecurityGroup, which is the security group I created when provisioning the VPC and instances.

Make a note of the GroupId that corresponds to your security group from the output of the previous commands. Now I know the GroupId for myPSSecurityGroup, I’ll put it into a variable:

Using PowerShell to get the security group ID. (Image Credit: Russell Smith)
Using PowerShell to get the security group ID. (Image Credit: Russell Smith)

I also know that my VPC private subnet is, so I can allow all inbound TCP traffic from any address in this range.

Now I’ll repeat that for UDP, keeping the address block the same.

Finally, I’ll configure ICMP echo requests so that I can use the ping command for troubleshooting. In FromPort, I’m specifying the ICMP type, which is 8. The ToPort value is not used for ICMP, so must be set to -1.

Check Security Group Settings

Now check that the settings above have been applied to the group correctly.

Check the rules added to the security group (Image Credit: Russell Smith)
Check the rules added to the security group (Image Credit: Russell Smith)

You should now be able to ping and communicate using IP between any instances in your VPC that belong to the security group determined in the $groupID variable.

Related Topics:

  • Amazon Web Services

    Don't have a login but want to join the conversation? Sign up for a Petri Account