Correctly tagging ec2 instances for filtering

I have a question about the correct way of tagging the EC2 instances along
with allowing access through security groups. I'll use my environment as
the use case. I have four java web applications that spin up an
elasticsearch client, setting node.client to true of course. One of the
applications is in a different security group than the other three. I also
have two data nodes running on their own EC2 instances in their own
security group. All nodes are configured with discovery.ec2.tag.cluster =
dev_search. Also all of the EC2 instances have a tag of cluster:dev_search.

Here's the environment setup:

Search Security Group (permits incoming 9300 traffic from search, web, and
job security groups)
Data 1
Data 2

Web Security Group (does not permit 9300 traffic)
Client 1
Client 2
Client 3

Job Security Group (does not permit 9300 traffic)
Client 4

With this setup, should I be tagging all EC2 instances with dev_search as I
currently am or should the data node instances be the only instances that
are tagged?

If all EC2 instances should be configured with the tag, then does that mean
that all three security groups must open up 9300 to one another? Also what
is the advantage of having the clients talk to one another?

I'm asking because I currently have all of the EC2 instances tagged, but I
wasn't permitting the security groups to talk over 9300 to one another. I
noticed today, after turning on trace logs, that the clients are throwing
ping time out exceptions while attempting to communicate with one another.
I did remove the tags from the EC2 instances running the clients and the
ping exceptions went away and everything seemed to work because the clients
filtered out everything but the data nodes.

You received this message because you are subscribed to the Google Groups "elasticsearch" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
For more options, visit