Certified Security - Specialty

Sign Up Free or Log In to participate!

Question on security group inbound rule for Web DMZ

Why did Ryan add a rule to allow 2223-2225 on the web dmz security group? My understanding is that It is the HSM that listens on these ports.

Rupesh Bajaj

That confused me as well, we added 2223-2225 web DMZ group with source as HSM security group, also included 2223-2225 on HSM security group with source as web DMZ group,

1 Answers

yes, HSM does communicate with EC2 on 2223-2225, by default when you configure HSM it is only allowed using the default security group. Since the EC2 instances are part of the WebDMZ security group, those ports needed to be manually configured to allow HSM to communicate with the EC2 instances assigned that security group over those ports.

Jagan S

Sorry I am confused, HSM is listening on 2223-2225 which is why we enable inbound connections on these ports for the HSM Sec group, but why do we enable these ports on the WebDMZ sec group? The EC2 instance doesnt listen on these ports.

Asier Rivera Fernandez

I haven’t followed that part yet, however, here my 2c. I believe that the WebDMZ SG is allowing ports 2223-2225 as outbound rule. This is because you also need to allow connections originating from the EC2 towards the HSM. When the EC2 connects to the HSM passes through 2 SGs, the one of the WEBDMZ as outbound and the one of the HSM as inbound. Therefore, you need to allow the connection in both.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?