All, AWS has a feature where a security group can include a rule that allows a security group ID, instead of allowing an IP address. Any instance which is a member of the security group matches the rule and its traffic is permitted according to the rule.
A very useful thing you can do with this is add the security group's *own* ID to itself and set it to allow all TCP/UDP/ICMP packets. Then, all instances that are a member of this security group have unrestricted access to each other, a bit like a private subnet. However external access is still firewalled off unless IP-based rules are also added to the security group as usual. Looking at jclouds, it's possible to pass a security group in the EC2TemplateOptions, but this then disables jclouds' processing of inboundPorts. So it's an all-or-nothing approach: either jclouds manages the security group for the app, or it does nothing and it's up to the app to fully manage the security group, so the app ends up duplicating code that opens the inbound ports. Any thoughts on how jclouds could take advantage of this AWS feature? Richard.
