Target VPC server FROM the private IP address of a public server

I have two servers: ExternalSrv and InternalSrv, on the same EC2 VPC.

I have a very simple setup using Nodejs, Express and Axios.

ExternalSrv handles requests from the public, which, of course, come in to ExternalSrv’s public IP address. ExternalSrv calls InternalSrv to do some of the work.

In order to simplify the security group inbound rules on InternalSrv, I would like to allow ALL VPC IP address, but nothing else.

I find that ExternalSrv always uses its Public IP address when making requests to InternalSrv’s Private IP address. Therefore, the security group needs to be updated with ExternalSrv’s Public IP address whenever that address changes (Stop/Start, new instance, more instances, etc.). That seems like a fragility point in ongoing maintenance.

This seems like this should be easy, but I’ve been searching for an answer for quite some time.

Any insight would be appreciated.



Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

When two Amazon EC2 instances in the same VPC communicate with each other, it is best to perform this communication via private IP addresses. This has several benefits:

  • Security Groups can refer to other Security Groups
  • Traffic stays within the VPC (if communicating via Public IP addresses, the traffic will exit the VPC and then come back in)
  • It is cheaper (there is a 1c/GB charge for traffic going out of the VPC and then back in)

The best-practice security setup for your situation would be:

  • Create a Security Group on ExternalSrv (SG-External) that would allow inbound traffic as necessary (eg port 80, 443), together with default “Allow All” outbound traffic
  • Create a Security Group on InternalSrv (SG-Internal) that allows inbound traffic from SG-External

That is, SG-Internal specifically references SG-External in its rules. This way, inbound traffic will be accepted from ExternalSrv without needing to know its IP address. It also allows other servers to be added to the Security Group in future and they will also be permitted access.

Yes, you could simply add a rule that limits inbound access to the CIDR of the VPC, but good security is always about having multiple layers of security. Restricting access will cut-down potential attack vectors.

All methods was sourced from or, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Notify of

Inline Feedbacks
View all comments
Would love your thoughts, please comment.x