Why did Ryan add a rule to allow 2223-2225 on the web dmz security group? My understanding is that It is the HSM that listens on these ports.
1 Answers
yes, HSM does communicate with EC2 on 2223-2225, by default when you configure HSM it is only allowed using the default security group. Since the EC2 instances are part of the WebDMZ security group, those ports needed to be manually configured to allow HSM to communicate with the EC2 instances assigned that security group over those ports.
Sorry I am confused, HSM is listening on 2223-2225 which is why we enable inbound connections on these ports for the HSM Sec group, but why do we enable these ports on the WebDMZ sec group? The EC2 instance doesnt listen on these ports.
I haven’t followed that part yet, however, here my 2c. I believe that the WebDMZ SG is allowing ports 2223-2225 as outbound rule. This is because you also need to allow connections originating from the EC2 towards the HSM. When the EC2 connects to the HSM passes through 2 SGs, the one of the WEBDMZ as outbound and the one of the HSM as inbound. Therefore, you need to allow the connection in both.
That confused me as well, we added 2223-2225 web DMZ group with source as HSM security group, also included 2223-2225 on HSM security group with source as web DMZ group,