Oct 10, 2016
reference

When adding an ingress rule to a security group A in VPC, and specifying access to another security group B in VPC, you can only connect from an instance b in B (classic linked or not) to an instance a in A using a’s private ip address.

If you need to talk to instance a using it’s public IP, you must add a ingress rule using CIDR notation in group A.


References

Amazon EC2 Security Groups for Linux Instances - Amazon Elastic Compute Cloud