Security Groups and Network ACLs
Get an overview of Security Groups and Network ACLs.
We'll cover the following
Security groups
Security groups act as a firewall at the instance level. Specifically, security groups operate at the network interface level.
Rules
- We can only assign permit rules in a security group; we cannot assign deny rules.
- There is an implicit deny rule at the end of a security group.
- All rules are evaluated until a permit is encountered or continues until the implicit deny.
- A security group can control both ingress and egress traffic.
- By default, custom security groups do not have inbound allow rules (all inbound traffic is denied by default).
- By default, default security groups have inbound allow rules (allowing traffic from within the group).
- All outbound traffic is allowed by default in both custom and default security groups.
Features
- Security groups are stateful.
- You can use security group names as the source or destination in other security groups. You can also use the security group name as a source in its own inbound rules.
- Security group members can be within any AZ or subnet within the VPC. Security group membership can be changed whilst instances are running.
- Up to 5 security groups can be added per EC2 instance interface. There is no limit on the number of EC2 instances within a security group.
- Any changes made will take effect immediately.
Limitations
-
You cannot block specific IP addresses using security groups; use NACLs instead.
-
You cannot delete the security group that is created by default within a VPC.
Level up your interview prep. Join Educative to access 70+ hands-on prep courses.