Hi Richard, and apologies for the late response, AFAIK there is no reason for that to be exclusive. jclouds could create two security groups and assign both to the instance, and that should work, right? In that case, mind opening an issue so we can track and fix it?
Thanks! I. On 17 March 2015 at 12:27, Richard Downer <rich...@apache.org> wrote: > All, > > AWS has a feature where a security group can include a rule that > allows a security group ID, instead of allowing an IP address. Any > instance which is a member of the security group matches the rule and > its traffic is permitted according to the rule. > > A very useful thing you can do with this is add the security group's > *own* ID to itself and set it to allow all TCP/UDP/ICMP packets. Then, > all instances that are a member of this security group have > unrestricted access to each other, a bit like a private subnet. > However external access is still firewalled off unless IP-based rules > are also added to the security group as usual. > > Looking at jclouds, it's possible to pass a security group in the > EC2TemplateOptions, but this then disables jclouds' processing of > inboundPorts. So it's an all-or-nothing approach: either jclouds > manages the security group for the app, or it does nothing and it's up > to the app to fully manage the security group, so the app ends up > duplicating code that opens the inbound ports. > > Any thoughts on how jclouds could take advantage of this AWS feature? > > Richard.
