Security Group Analogy
Think of a gated community:- A guard at the entrance logs visitors’ details on arrival and exit.
- Only pre-approved guests or those matching specific criteria can enter or leave.
Scenario Overview
You have an EC2 instance inside a VPC with an attached security group namedapplication-security-group. This group evaluates:
- Inbound traffic (requests coming to your instance)
- Outbound traffic (requests leaving your instance)
Security Group Rule Components
Every security group rule—whether inbound or outbound—includes:| Component | Description | Example |
|---|---|---|
| Protocol | Network protocol (TCP, UDP, ICMP, or all) | TCP |
| Port range | Single or range of ports | 22, 80 or 1024–65535 |
| Source/Dest. | Source CIDR for inbound; destination CIDR for outbound | 203.0.113.0/24 |
Configuring Inbound Rules
Inbound rules control which external systems can reach your instance.-
Allow HTTP (port 80) from a specific IP:
-
Test a connection from
130.67.87.13on port 80 → Rejected (IP not allowed). -
Open HTTP to the world:
Allowing
0.0.0.0/0 exposes your port to the entire Internet. Ensure you only open ports that are strictly necessary.Configuring Outbound Rules
By default, outbound traffic is fully open:| Protocol | Port Range | Destination |
|---|---|---|
| All | All | 0.0.0.0/0 |
Always review both inbound and outbound rules to maintain the principle of least privilege.
Best Practices
- Use descriptive security group names (e.g.,
web-sg,db-sg). - Limit CIDR ranges to the smallest possible scope.
- Regularly audit rules for unused or overly permissive entries.
- Combine Security Groups with Network ACLs for layered defense.