Deep Dive into AWS Security Group

AWS Security Group acts as a Firewall for your multiple AWS resources. Please be aware that security groups are applied at the Network Interface, and you can assign one or more security groups to a network interface. For example, For your EC2 instance, you can control inbound and outbound traffic with a Security group.

Security Group Rules

Security Group rules allow you to control your instances’ inbound and outbound traffic. There are two types of rules:

Inbound Rules: Allow you to control ingress traffic to your resources. Information that you need to provide for the inbound rule:

Type ProtocolPort RangeSourceDescription
Type of trafficProtocol will be automatically selected as per your type. Unless custom protocol is selectedNetwork PortIP/CIDR/Security Group

Please find an example inbound rule where I have provided SSH access to the internal team:

Type ProtocolPort RangeSourceDescription
SSHTCP22192.168.0.0/24internal access

Outbound Rules: Allow you to control the egress traffic from the instance. Information that you need to provide for the outbound rule:

Type ProtocolPort RangeDestinationDescription
Type of trafficProtocol will be automatically selected as per your type. Unless custom protocol is selectedNetwork PortIP/CIDR/Security Group

Please find an example outbound rule where I have allowed all outbound traffic:

Type ProtocolPort RangeDestinationDescription
All Trafficallall0.0.0.0/0Allow all outbound traffic

Please be aware that the security group is stateful, which means return traffic is automatically allowed regardless of any rule. You don’t need to configure the outbound rule for return traffic. For example, you configured SSH access to the resources by configuring the inbound rules.

How Security Groups are different from NACL

Security GroupNACL
Applied at the instance level(ENI)Applied at Subnet Level
You can only specify allow rules but if you don’t specify any rules then nothing is allowed.You can specify both allow and deny rules.
Evaluate all rules before allowing traffic.AWS evaluates rules with the Numeric rule number. Starting with the lowest number.
Resources can use multiple security groups. All security group rules will be evaluated. A subnet can only have one NACL associated with it. However, the same NACL can be used with multiple subnets.
Stateful: Return traffic is automatically allowed regardless of any rule.Stateless: Return traffic must be explicitly allowed by rules.

Few important points on Security Group before we move forward

  • Security Group is a VPC level resource. When you create a security group, you will have to specify the VPC name in which it will exist. Security Group can be used in any subnet inside the VPC.
  • You can create up to 2500 security groups inside a region.
  • You can apply the same Security group to multiple EC2 instances. For example, you want numerous web server machines to use the same security group.
  • Security Group is required to deploy an EC2 instance. If you don’t have any Security group, AWS allows you to create a new Security Group while creating an EC2 instance.
  • You can configure 60 inbounds and 60 outbound rules for each security group.

Default and Custom Security Group

Default Security Group: Whenever you create a VPC inside your account, there will be one default security group created and attached to that VPC. Default security Group comes with one inbound and one outbound Rule. However, if you want you can edit the inbound and outbound rules.

If you try to create an EC2 resource through UI inside a VPC, AWS will allow you to choose this default VPC or you can create a new security group while creating an EC2 instance.

Default security group inbound rule allows all traffic from instances inside the same security group.

Type ProtocolPort RangeSource
All TrafficallallDefault security group ID

Default security group outbound rule allows all outbound traffic from the instance.

Type ProtocolPort RangeDestination
All Trafficallall0.0.0.0/0

Custom Security Group: If you don’t want your instances to use the default security group or you have a requirement to use multiple security groups then you can create your security groups and specify them when you launch your resources.

There are two default rules for new security group:

  • Allow all outbound traffic
  • Block all inbound traffic
Posted in AWS

Leave a Reply

Your email address will not be published. Required fields are marked *