I am sure that while working on Security groups, we do ponder about Firewalls and Rules i.e. allowing or denying traffic based on hardware or software firewalls. In case of AWS security groups are very similar to NACL’s in that they allow/deny traffic based on subnet Level with caveat that security groups are found on the instance Level. In scenario of AWS, access is allowed/denied based on an instance level .As an example – If instance security group deny HTTP traffic to come in, then no one can access HTTP application hosted on that system. This feature gives the flexibility to decide at instance level, whether traffic should be accepted and dropped.
- A security groups acts as a Virtual Factory that controls the traffic for one or more instances.
- Multiple Security groups can be associated with the instance
- We can add rules to each security group that allows traffic to or from its associated instances.
- We can modify the rules for a security group at any time, the new rules are automatically applied to all instances that are associated with the security group.
- NACL’s evaluate the rules from lowest to highest when a match is found on 2 or 3 ACL. All the remaining rules are discarded, but in security groups it will always evaluate all the rules from all the security groups that are associated with the instance and then decide what to do.
Let’s see how to create Inbound and outbound rules in security groups of AWS. When we create a new security group in AWS, all the inbound traffic is denied by default and all the outbound traffic is allowed by default.
- All traffic is DENIED unless there is an EXPLICIT ALLOW rule for it
- There are no DENY rules only ALLOW rules
Create a New security group. Notable is that by default there is a security group in AWS in which traffic is denied for all the inbound traffic and allowed for all the outbound traffic.
Add rule for allowing anywhere incoming traffic and outgoing traffic for HTTP only.
Then click create!!
Allow SSH for only one subnet in VPC for incoming and outgoing traffic.
Again click create!!
And we are done with creation of a sample Security Group in AWS. Hope the article was helpful and explained AWS related terminologies in simple words.