Vipul Pathak

A Security Group (SG) is a firewall that controls traffic at the NIC level of the Virtual Server (An EC2 instance running virtually over a physical hardware). Security Groups have inbound and outbound traffic rules.

Security Groups are applicable on network card of EC2 instances, not on subnets within which EC2 instance resides.

There can be upto 5 Security Groups attached to any NIC of a given Virtual Server. Security Group can be changed/reassigned even after launching server instance.

It is possible to define upto 500 Security Groups per private cloud, not necessarily all of them are attached to any NIC.

There can be upto 50 rules defined for any Security Group. Also, one security group can be assigned to more than one NIC (Elastic Network Interface).

Security Groups are Stateful, which means when certain traffic is allowed by Inbound rules (a.k.a. ingress), then that is automatically allowed as Outbound (a.k.a. egress), even if no Outbound rules are explicitly defined for it. In the above diagram, the circular arrows represents state synchronization between Inbound and Outbound rules (meaning that for defined Inbound traffic, Outbound will automatically be allowed and vice versa).

Security Groups contains rules to allow traffic of certain type. AWS searches the Security Group to find a matching rule that allows the traffic to go through.

Each Security Group contains an implicitly defined “Deny All” rule placed at the end, which matches all traffic that doesn’t match any of the explicitly defined “Allow” rules. Therefore, Security Groups already contains a Deny All rule, and hence Admin can only define Allow rules.

If no rule is defined in a Security Group, then Nothing is allowed to pass through.

Traffic can be Outbound for one Security Group but can be Inbound for another Security Group.

A source in the context of a Security Group means any entity from where traffic can come into the Security Group. The source can be a specific IP Address (e.g. 172.31.73.55), a CIDR block (e.g. 0.0.0.0/0:443 with specific ports), a specific Protocol (e.g. HTTPS) or another Security Group (e.g. Secured-All-Traffic-From-HQ etc) but not any Subnet.

A security group (SG) can be a source of traffic to itself, i.e. SG can refer itself in it’s rules.

A destination in the context of a Security Group means any entity towards which traffic maybe redirected. The destination can be a specific IP Address, a specific Port range (e.g. 4096-65535), a CIDR block (e.g. 0.0.0.0/0:1443 etc.), another Security Group (e.g. DB-Servers etc.) or a specific/range of IP Addresses.

A protocol in the context of a Security Group means any protocol that has a standard protocol number defined by IANA (www.iana.org). It is compulsory to specify a protocol for any rule defined.

In a Default Security Group in any VPC, there is one Inbound and one Outbound rule is configured by default. The Inbound rule allows all the traffic flow that is Originated from any machine of the same Security Group (i.e. all traffic within the SG). The Outbound rule allows all the traffic to anywhere, that is originated from any EC2 instance in the SG.

In a Custom Security Group in any VPC, there is no Inbound rule defined (by default) making it Impossible to receive any Incoming traffic without configuring it. The Outbound rule allows all the traffic to anywhere, that is originated from any EC2 instance in the SG.

Therefore, in a nutshell, a Security Group (default or custom) when newly created, contains an Outbound Rule, by default, that allows all traffic to go out.

Since Security Groups are stateful, When a Security Group allows to send “Echo Request” (type 8/code 0) between ‘A’ to ‘B’, the response over the same connection is guaranteed to be received from ‘B’ to ‘A’. This means if an Inbound rule is set, Outbound is guaranteed and if an Outbound is set, Inbound is guaranteed.

To enable ICMP traffic between hosts (A and B) of different Security Groups, (e.g. host A of SGx and host B of SGy), one can add an Outbound rule for “Echo Request” (type 8/code 0) in SGx and an Inbound rule for “Echo Reply” (type 0/code 0) in SGx with source as SGy. Similarly, at SGy we need to add an Inbound rule for “Echo Request” with source as SGx and an Outbound rule for “Echo Reply” with destination SGx.

Changes in Security Group settings are effective Immediately.

Security Groups are referred as “Defense in Depth”, since rules are applied at NIC level.

Security Groups are region level resource and are available to all EC2 instances of the region, i.e. even if EC2 instances are in different availability zones, they can still use any security group created in the region.

Security Groups can be named as source or destination in other Security Groups, as well as in themselves.

.