Did you try to connect to node1's public or private address as mentioned in the documentation:
When you specify a security group as the source or destination for a rule, the rule affects all instances associated with the security group. For example, incoming traffic is allowed based on the private IP addresses of the instances that are associated with the source security group.
I've been a victim of this problem before while trying to connect to an EC2 instance's public address, it sounds quite similar to your setup, actually.
When you'll connect the inbound rule so that a source is a security group, you must communicate with the source instance's private address.
Some things to be aware of:
In EC2 Classic, private IP addresses can change on stop/start of an EC2 instance. If you're using EC2 classic you may want to look into this discussion on Elastic DNS Names for a more static addressing solution.
If you set up your environment in VPC, private IP addresses are static. You can also change security group membership of running instances.