Does traffic skip my AWS ELB if I don't specify its security group in my EB environment's inbound rules?

Question

I have an AWS Elastic Beanstalk environment that is created with an Elastic Load Balancer, and which specifies the default ELB security group (\"ELB created security group used

Answer 1

It sounds like you're confusing the concept of network routing with firewall rules. The security groups will not effect where traffic is directed.

Networking routing:

• DNS Settings will direct traffic to your ELB.
• ELB configuration will funnel traffic it receives to the EC2 instances registered with it.

Security Groups:

• Your ELB & EC2 instances have security groups assigned to them. Regardless of what the network routing rules that directed the traffic to there, the firewall will ask the question "Do I allow traffic from a.b.c.d/R over port X?"

So to answer your question:

Yes, you can update the security group of your EB environment to allow traffic from an ELB. Doing so will not impact where that ELB will direct traffic.

Yes, if the network routing you have in place sends traffic first to an ELB and then to an EC2 instance, the traffic must meet the requirements of the ELB's security group & the EC2 instance's security group. If your instances are in a private subnet, the ELB cannot be skipped when starting from an external endpoint. If the EC2 instances are in a public subnet, a user could access your instance directly if your firewall rules allow it.

However, I highly suspect that you're thinking something is going to happen here that won't. I urge you to read up networking. A good starting spot would be the VPC documentation (http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenarios.html). Work through the scenarios to understand what the role of each component is.