Good day,

If one is provisioning an EC2 instance (serverA) that receives TCP traffic on port 8000 from a handful of yet to be provisioned EC2 instances (serverB, serverC, etc), what is the best practice for configuring security groups on serverA?

Security group: serverA_sg
Source: CIDR block that encompass serverB/C and any future instances of the same type
Port range: 8000

CIDR block would have to be at least /24 due to the fluidity of the environment.

or

Security group: serverA_sg
Source: serverA_sg
Port range: 8000

Then assign "serverA_sg" to serverB/C when they are provisioned? I assume the negative here is that the "client" instances will also then be available on 8000.

or something else entirely?

Thank you!