I have an AWS Elastic Beanstalk environment that is created with an Elastic Load Balancer, and which specifies the default ELB security group ("ELB created security group used when no security group is specified during ELB creation") as the source for inbound HTTP.
If I replace this default ELB security group as the source for my environment's security group's inbound rules with a port range does traffic
- still come through the ELB and is it
- still filtered by the ELB's security group's rules
or does traffic then "skip" the ELB (or at least it's security group) and come directly to my instances?
It sounds like you're confusing the concept of network routing with firewall rules. The security groups will not effect where traffic is directed.
Networking routing:
Security Groups:
So to answer your question:
Yes, you can update the security group of your EB environment to allow traffic from an ELB. Doing so will not impact where that ELB will direct traffic.
Yes, if the network routing you have in place sends traffic first to an ELB and then to an EC2 instance, the traffic must meet the requirements of the ELB's security group & the EC2 instance's security group. If your instances are in a private subnet, the ELB cannot be skipped when starting from an external endpoint. If the EC2 instances are in a public subnet, a user could access your instance directly if your firewall rules allow it.
However, I highly suspect that you're thinking something is going to happen here that won't. I urge you to read up networking. A good starting spot would be the VPC documentation (http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenarios.html). Work through the scenarios to understand what the role of each component is.