AWS EC2 security groups don't seem to apply for Public IPs

Question

I have the following setup:

• An EC2 instance hosting both an application server and a database (mysql), belonging to a security group: let's call it "AppServerSG", and assigned an elastic Public IP (AWS also assigns it a private IP).

• Various EC2 worker instances which need to connect to the application server's database when booting up. These worker instances belong to another security group: let's call it "WorkerSG".

The inbound rules for the Security Groups look as follows.

For AppServerSG:

80 (HTTP)        0.0.0.0/0
3306 (MYSQL)     WorkerSG

For WorkerSG

80 (HTTP)        AppServerSG

So essentially only the application server should be reachable from outside, and the workers and application should be able to communicate with each other.

However connecting to the database from a worker instance only succeeds when the database host is set as the application server's private IP, not the public elastic IP.

The only way to connect to the database from a worker instance using the application server's public IP seems to require changing the MYSQL rule to allow all connections (0.0.0.0/0) on the AppServerSG, which is something I'm very reluctant to do out of security concerns.

Hard-coding the private IP into the worker instances is also not such a good idea, since every time the app server instance is stopped/restarted, it is assigned a new private IP, which would then require manually changing the database address that each worker instance needs to connect to.

I'm basically wondering if someone has run into similar trouble because this doesn't seem like the way things should work, so either I'm doing something wrong in my setup, or there's a workaround somehow.

Would very much appreciate the help !

Edit:

The motivation behind this setup is that in the event that I want to take the whole thing offline, I can safely bring it back online without having to change the configurations of the application server and the workers.

Had I used RDS, when taking the application offline/online again I would have to take a snapshot of the DB and stop it, then create a new DB based on the snapshot, which would have a different address, which would then bring me back to the problem of changing the configuration.

Honestly if I'm going to have to edit the configuration every time I restart the application anyway, I'd rather have the database on the application server and save myself the costs associated with RDS.

The main issue here is that I don't understand why the security groups don't seem to apply when I'm using the public elastic IP for the database address, is it by design on the AWS side, or a mistake in the configuration somewhere on my part ?

Answer 1

Really the recommended configuration would have you using an RDS DB instance, setting your DB security group to accept connections from the appropriate EC2 security groups only. In this configuration, you CAN set up your DB user like user@% and still enforce access to the DB only to the specified EC2 security groups.

In this way, you shift the burden of DB access control to the AWS security model, rather than MySQL user configuration. Of course, you would still need to configure DB users to have access only to those appropriate resources within the DB.