Security Groups (VPC SG)

  1. Security Groups are virtual firewalls at the instance level
  2. SGs only ALLOW traffic so remember this as acronym SAG (security allow groups)
  3. One or more security groups can be assigned to an EC2 instance
    1. When more than one SG is assigned to an EC2, the all the rules (ALLOW) are aggregated
    2. SGs can’t be assigned to subnets or VPCs
  4. Security Groups belong to a VPC. They can’t be shared across VPCs
  5. Traffic
    1. SG rules (IOACPS)
      1. rule is either Inbound or Outbound
      2. rule can specify ALLOW  only
      3. inbound rule has source CIDR/SG outbound rule has destination CIDR/SG/PrefixListID
    2. Rules will only ALLOW traffic. No DENY rules.
    3. Provide type, protocol/port (example RDP 3389, MySQL/Aurora 3306) , destination for allowed traffic  for inbound and outbound
    4. In default VPC, the default SG has two rules
      1. All inbound traffic is allowed from within the same SG (rule 1)
      2. No inbound traffic is allowed from outside (no rule)
      3. outbound traffic to all destinations ( is ALLOWED (rule 2: All Traffic, ports, protocols ->
    5. When you create a new SG, one rule is automatically created
      1. No inbound traffic is allowed from outside (no rule)
      2. outbound traffic to all destinations ( is ALLOWED
  6. SGs are stateful (unlike Network ACLs), meaning if a protocol (say HTTP) is allowed inbound, then when a request comes in, the corresponding reply packets are allowed outbound irrespective of outbound rules, thus maintaining state.
  7. Any changes to SGs will be effective immediately. No need to stop/start EC2
<<< Network Access Control Lists (NACL)Network Address Translation (NAT) Instances, NAT Gateways, Egress only Internet Gateways and Bastion Hosts >>>
Copyright 2005-2016 KnowledgeHills. Privacy Policy. Contact .