Here’s the magic sauce to securely allow traffic to your webservers only from your load balancer. Run the following:
ec2-authorize --region REGION -C /path/to/cert.pem -K /path/to/key.pem ELB_NAME -u OWNER_ALIAS -o SOURCE_SECURITY_GROUP |
The tricky bits for me were:
- having to generate an X.509 key and cert just for this purpose (there’s gotta be a way to do that from the web console)
- OWNER_ALIAS above and in the web console equates to SOURCE-OR-DEST-GROUP-USER in the
ec2-authorize(1)manpage. - SOURCE_SECURITY_GROUP above and in the web console equates to SOURCE-OR-DEST-GROUP in the
ec2-authorize(1)manpage. - to remember to include
--region
The documentation for same is confusing to someone like me who doesn’t know much AWS security group terminology.
As far as I know, there’s no way to perform, view, or manage this special security setting through the web console.

