When adding an ingress rule to a security group A in VPC, and specifying access to another security group B in VPC, you can only connect from an instance b in B (classic linked or not) to an instance a in A using a’s private ip address.
If you need to talk to instance a using it’s public IP, you must add a ingress rule using CIDR notation in group A.
References
Amazon EC2 Security Groups for Linux Instances - Amazon Elastic Compute Cloud
