问题
I have a VPC set up in AWS and have a security group that allows inbound connections from the VPC's CIDR block and have assigned it to my instances. SSH and TCP work fine while using the private IP addresses. However when using public ip addresses on an instance, connection fails. Why is that so? Why doesn't the security group know the connection is coming from within VPC even if it's addressed to the public IP?
回答1:
When you use the public IP the traffic exits the VPC and enters back into the VPC. At that point the security group sees the traffic coming from another public IP without any VPC/security group information available.
回答2:
When you connect to the Public IP, even the instance is in the same subnet, the traffic still goes out of the VPC to internet via internet gateway, and then enters back into the VPC. Thus it's NAT, and the source Private IP is hidden by the Public IP, and by your settings, there is no security group rules allow that kind of traffic.
BTW, if you use Public IP to connect to another host in the same VPC, AWS will charge you for network traffic.
来源:https://stackoverflow.com/questions/42931354/aws-security-group-that-allows-instances-within-vpc-to-connect-doesnt-work-over