I am trying to configure secure ssh connection from bastion host (located in public subnet) to private linux instances (located in private subnet) in the same VPC.
When I add a security group rule for my private linux instance, initially it shows the rule as:
Please note that before adding the IP address of the bastion host, the water mark shows "CIDR, IP or Security Group", but when I add the IP address of the bastion host, it throws error as:
The source needs to be a CIDR block or a Security Group ID.
It appears that your situation is:
I note that you are entering a Public IP address (220.127.116.11) in the Security Group. You should actually enter the Private IP address of the Bastion instance. This way, the traffic between the instances flows wholly within the VPC rather than leaving the VPC (to access the public IP address) and then coming back in again.
Actually, the recommended way to configure this setup is:
By referring to the name of a security group, traffic will automatically be permitted from any EC2 instance that is associated with the named security group (in this case, any instance that is associated with the Bastion-SG). This means that instances can be added/replaced and traffic will still be permitted based upon the associated security group, rather than having to update specific IP addresses.
So, to answer your question... Yes, there are three ways to refer to the source. From the EC2 documentation Security Group Rules:
- An individual IP address, in CIDR notation. Be sure to use the /32 prefix after the IP address; if you use the /0 prefix after the IP address, this opens the port to everyone. For example, specify the IP address 203.0.113.1 as 203.0.113.1/32.
- An IP address range, in CIDR notation (for example, 203.0.113.0/24).
- The name (EC2-Classic) or ID (EC2-Classic or EC2-VPC) of a security group.
So, the IP address actually has to use CIDR notation, with
/32 at the end. If you think that this doesn't quite match the hint of "IP" (and I'd tend to agree with you), feel free to hit the Feedback button in the console and provide your feedback to the EC2 Console team.