π What are Security Groups?
AΒ Security Group in AWS acts like a virtual firewall that controls inbound and outbound traffic for your EC2 instances and other supported services (like RDS, Lambda with VPC, etc.).
β Security Groups define who can access your instance and on which ports.
𧩠Key Features
| Feature | Description |
|---|---|
| Stateful | If you allow inbound traffic, response is auto-allowed |
| Attached to Instances | Applied at the instance level, not subnet |
| VPC-bound | Security Groups are scoped to a single VPC |
| Allow Rules Only | You canβt explicitly deny traffic β only allow |
π Traffic Rules
| Rule Type | What It Does | Example |
|---|---|---|
| Inbound | Defines who can connect to your instance | Allow SSH from your IP |
| Outbound | Defines where your instance can connect | Allow all traffic to internet |
π οΈ Common Use Cases
| Use Case | Inbound Rule |
|---|---|
| SSH Access | Port 22 from your-IP/32
|
| HTTP Web Server | Port 80 from 0.0.0.0/0 (anywhere) |
| HTTPS (SSL) Web Server | Port 443 from 0.0.0.0/0
|
| MySQL DB Access | Port 3306 from specific private IP range |
βοΈ How to Configure (AWS Console)
- Go to VPC β Security Groups
- Create or edit a security group
- Add inbound rules (type, port, source)
- Add outbound rules (default: all allowed)
- Attach the security group to EC2 instance(s)
π Stateful Behavior Example
If you allow:
Inbound: HTTP (80) from 0.0.0.0/0
Then AWS automatically allows:
β You donβt need to manually add an outbound rule for the response.
π¦ Security Groups vs NACLs
| Feature | Security Group | Network ACL |
|---|---|---|
| Scope | Instance-level | Subnet-level |
| Rules | Allow only | Allow and Deny |
| Stateful? | β Yes | β No |
| Use Case | App-level access control | Broad subnet-based filtering |
β Summary
| Attribute | Value |
|---|---|
| Type | Virtual firewall for EC2 and other services |
| Default Behavior | Deny all inbound, allow all outbound |
| Rule Direction | Inbound and outbound (no deny rule support) |
| Security Level | Instance-specific |