After I associate a public IP, then I am able to ssh thru the public IP from a public terminal, even though the security group only specifies IPs in the project VLAN. If I were to specify a different project vlan, say 10.4.45.0/24, then port 22 is blocked as expected from public internet.
Here is an example. My project vlan is 10.4.57.0/24
|=> euca-authorize -P tcp -s 10.4.57.0/24 -p 22 myservers
|=> euca-describe- groups- 2.7
GROUP ashusb ashusb-vpn Group for vpn
PERMISSION ashusb ashusb-vpn ALLOWS udp 1194 1194 FROM CIDR 0.0.0.0/0
PERMISSION ashusb ashusb-vpn ALLOWS icmp -1 -1 FROM CIDR 0.0.0.0/0
GROUP ashusb default default
GROUP ashusb myservers test
PERMISSION ashusb myservers ALLOWS tcp 80 80 FROM CIDR 0.0.0.0/0
PERMISSION ashusb myservers ALLOWS tcp 8080 8080 FROM CIDR 0.0.0.0/0
PERMISSION ashusb myservers ALLOWS tcp 22 22 FROM CIDR 10.4.57.0/24
|=> euca-run-instances ami-000000bd -k as282d -g myservers
|=> euca-allocate- address- 2.7
ADDRESS 12.208.178.202
|=> euca-associate- address- 2.7 12.208.178.202 -i i-00004f4f
ADDRESS 12.208.178.202 i-00004f4f
After I associate a public IP, then I am able to ssh thru the public IP from a public terminal, even though the security group only specifies IPs in the project VLAN. If I were to specify a different project vlan, say 10.4.45.0/24, then port 22 is blocked as expected from public internet.