I created a new instance to serve as a bastion so I could SSH into it and use it to connect to my other instances that are in a private subnet. When I created the instance I chose to create a new security group, giving just my own IP address TCP access on port 22. The instance is in a subnet that has a route entry for all IPv4 to an internet gateway, and it has an IPv4 public IP. The instance started, but the associated security group doesn't have the port 22 rule--and I suspect it is due to larger organization controls that prevent that (I don't have sufficient permission to create a security group). The launch created a security group named "launch-wizard-1" that has no rules and that is associated to the instance. It is the only associated security group. So when I look at the instance and click to view inbound and outbound rules, it shows nothing:
But surprisingly, I was able to use it as a bastion and connect to another private instance. I don't understand why. I thought with no security group rules, that means nothing can reach it, so I didn't expect it to work as a bastion to proxy connections to other private instances. The VPC has a detached virtual private gateway and a transit gateway (which has an association to a non-existent routing table) in case those details come into play somehow.
Why is it working as a bastion without any security group rules?
If I view the security group it say "This security group has no rules," but when I click Edit it then shows one rule...so apparently there is something there.
