First, check that your instances can basically see each other:
Open all ports using ingress rules from slaves with (conditionally) security group sg-slave to master with (conditionally) security group sg-master and vice versa.
Make sure everyone sees everything and access works.
Then we remove this rule and start opening specific ports.
1. In the egress rules, leave only allow 0.0.0.0\0 on all ports (if your instance needs to connect to Internet resources) or allow VPCCIDR on all ports (if your instance does not go to the Internet but lives only inside the VPC)
2. All rules we configure only through ingress. We need access from the slave to the master on port 27100 - in the ingress rules sg-master we doallow sg-slave access on 27100 port
3. Ports of services like monga are generally known. More difficult with windows system ports (which are required for many windows services, such as a file share)
Open ports immediately known to you at the prompt from here
Select services that should be provided to slave machines from the master and / or vice versa from the slave to the master.
4.
Opened everything to a minimum, what else is unclear to open, but nothing works? Enable flow logs (read the AWS documentation) on the subnets where you run your instances, granularity - access denied.
We look where your machines want to climb, check what kind of ports and open them if necessary, and so on until the victorious one, until everything works