Forbid communication between two ec2 instances within one private VPC

We have two ec2 instances within one private VPC group. Is there a way to forbid communication between ec2 servers?


Simple version

Ensure the security group for each resource does not allow ingress on the ports you want to block. This works whether the resources are in the same or different security groups.

More Detail

Simply don't allow access into the security group each server from the security group / CIDR range the other server is in for the port in question. Providing ingress to either the subnet CIDR or the EC2 security group allows communication, so you need to remove both to prevent communication. This works if they're in the same security group or a different security group, assuming there's no rules by CIDR.

Security groups are not like subnets - I think of a SG as a firewall surrounding the instance. Two instances in the same security group do not have automatic access to each other, you must allow egress to the other instance, and the other instance must allow ingress.

I did an experiment just now as follows:

  • Created a new security group with unlimited egress and ingress only from my public IP
  • Created two new Ubuntu 20.04 EC2 instances (I will call them 'one' and 'two') in this new security group
  • SSH'd into 'one' and ping'd 'two'. No response.
  • Modified the security group to allow ingress from itself on ICMP
  • Repeated the ping above - which worked.
  • Removed the ingress rule, did a ping - no reply
  • Added an ingress rule from the subnet CIDR - ping worked

MLU's answer is equally valid and probably simpler to understand, but if you need your servers in the same security group give this a shot :)