Azure for AWS professionals - Networking - AWS - 05 Security Groups@20aman Oct 06, 2019
Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index
Security Groups are another security feature in AWS Virtual Private Clouds (VPCs). It is like a firewall that restricts the traffic at the EC2 instance level. These are applied to the EC2 instances. Once the traffic is filtered by the Network ACLs at the subnet level, it is then filtered further by the security group.
NOTE: All the traffic is automatically denied in a Security Group. Only the traffic defined in a security group is allowed to EC2 instances.
To access the security groups, navigate to the VPC section in AWS and then click on the "Security Groups" option in the Security menu on the left. You can view all your security groups here. Select one and view its properties in the bottom panel. These properties include Description, Inbound rules, Outbound rules, and Tags. You can either right-click on the security group or click on the Actions button to view the action that you can take on this security group. The key actions we are interested in includes:
- Edit Inbound rules
- Edit Outbound rules
"Edit Inbound rules" option is to edit the inbound rules. These govern what traffic will be allowed coming into the EC2 instances. Each rule contains:
- Type - this determines the protocol or type of traffic. You have loads of pre-defined types, or you can add a custom option from the list
- Protocol - this is determined by the type
- Port Range - this is also dependent on the type selected. For pre-defined types, this is auto-populated. For custom type, you can define a custom port range.
- Source - this is the place from where the communication will originate (that is coming into the associated subnet). You can have source as Anywhere or can define a custom IP address range via a CIDR
- Description - description of the rule.
"Edit Outbound rules" option is to edit the outbound rules. These govern what traffic will be allowed coming out of the EC2 instance. These rules are very similar to the inbound rules. The only difference is that now the traffic is originating from the EC2 instance and is going outbound. Hence we need to specify a Destination (instead of a Source) while defining the outbound rules.
Please Note that just like for Network ACLs, in a Security Group the address "0.0.0.0/0" means all IP addresses. This can be used for Source in inbound rules or Destination for outbound rules if the exact IP address or IP address range is unknown. Although this should be used with caution. As a best practice, this should be avoided at all costs and should be replaced with as small IP address ranges as possible.