Start preparing for your Next Exam | Use coupon – TOGETHER | Avail 30% discount

Security Groups

  1. Home
  3. Security Groups

In this, we will learn the concepts of Security Groups in AWS.

What are Security Groups?

A security group functions as a virtual firewall, allowing and preventing traffic from reaching and leaving the resources with which it is linked. When you link a security group with an EC2 instance, for example, it controls the instance’s inbound and outgoing traffic. A default security group is created when you build a VPC. For each VPC, you may build multiple security groups.

Further, a security group can only be associated with resources in the VPC for which it was formed. You create rules for each security group that governs traffic based on protocols and port numbers. Inbound and outgoing traffic is governed by distinct sets of regulations.

Security group basics

The following are the characteristics of security groups:

  • You must provide a security group a name and a description when you create it. The following rules are in effect:
    • Within the VPC, a security group name must be unique.
    • The length of names and descriptions is limited to 255 characters.
    • Characters that can be used in names and descriptions are limited to the following: a-z, A-Z, 0-9, spaces, and. -:/()#,@[]+=&;!$* are all valid characters.
    • We cut the space at the end of the name if it contains trailing spaces. For example, if you type “Test Security Group” in the name field, it will be saved as “Test Security Group.”
    • A security group’s name cannot begin with sg-.
  • Security groups are self-contained. If you submit a request from an instance, for example, regardless of the inbound security group restrictions, the response traffic for that request is permitted to reach the instance. Regardless of the outbound rules, responses to approved inbound traffic are allowed to depart the instance.

Pass the AWS Now!

Characteristics of security group rules:
  • Allow rules can be specified, but not deny rules.
  • There are no incoming rules when you initially create a security group. As a result, no incoming traffic is permitted until inbound rules are added to the security group.
  • A security group’s outbound rule enables all outgoing traffic from the resource when it’s first created. You can delete the rule and replace it with outgoing rules that only allow certain types of outbound traffic. No outbound traffic is allowed if your security group has no outbound rules.
  • When you link several security groups to a resource, the rules from each security group are combined to generate a single set of rules that is used to decide whether or not to provide access.
  • Your modifications are automatically applied to all resources connected with the security group when you create, amend, or remove rules. The impact of various regulation modifications may vary depending on how traffic is monitored.
  • AWS gives a unique ID to each security group rule when you create one. When you use the API or CLI to change or delete a rule, you can utilise the ID.

Default rules for a default security group

DestinationProtocolPort RangeComments
Inbound – The security group ID (sg-xxxxxxxx)AllAllAllow inbound traffic from instances assigned to the same security group.
Outbound – 0.0.0.0/0AllAllAllow all outbound IPv4 traffic.
Outbound –   ::/0AllAllAllow all outbound IPv6 traffic. This rule is added by default if you create a VPC with an IPv6 CIDR block or if you associate an IPv6 CIDR block with existing VPC.
Security Group Rules

The incoming traffic that is allowed to access the resources associated with a security group is controlled by the rules of the security group. The regulations also regulate the amount of outgoing traffic that is permitted to leave them. A security group’s rules can be added or removed (also known as allowing or cancelling incoming or outbound access). A rule applies to either inbound (ingress) or outward (outbound) traffic (egress). You can provide someone access to a certain CIDR range, another security group in your VPC, or a peer VPC (requires a VPC peering connection).

Create a security group

New security groups are created with simply an outbound rule, which permits all traffic to exit the resource by default. To allow any inbound traffic or to limit outgoing traffic, you must create rules. A security group can only be utilised in the VPC that it was designed for.

To create a security group using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
  2. In the navigation pane, choose Security Groups.
  3. Choose to Create a security group.
  4. Enter a name and description for the security group. You cannot change the name and description of a security group after it is created.
  5. From VPC, choose the VPC.
  6. You can add security group rules now, or you can add them later.
  7. You can add tags now, or you can add them later. To add a tag, choose to Add new tag and enter the tag key and value.
  8. Choose to Create a security group.

For more check here.

Menu