Security groups basics (EC2 and VPC)

Topic: Cloud aws core

Security groups are stateful firewalls for EC2 instances and other VPC resources. Rules allow inbound and outbound by port, protocol, and source/destination. Use this when you cannot reach an instance or when locking down access to a service.

Intent: How-to

Quick answer

  • Security group has inbound and outbound rules; each rule allows traffic by protocol, port range, and source (inbound) or destination (outbound). Default: no inbound, all outbound. Stateful: reply traffic is automatically allowed.
  • Allow SSH: inbound TCP 22 from your IP (e.g. 1.2.3.4/32) or from a bastion SG. Allow HTTP: inbound TCP 80 from 0.0.0.0/0 or from the ALB security group. Restrict source to reduce blast radius.
  • An instance can have multiple security groups; rules are combined (any allow allows). Use separate SGs for different tiers (e.g. web, app, DB) and reference other SGs as source for tier-to-tier traffic.

Prerequisites

Steps

  1. Inbound and outbound

    Add inbound rules for traffic the instance must receive (e.g. TCP 22 from My IP, TCP 80 from 0.0.0.0/0). Outbound defaults to all; restrict if needed (e.g. only to specific IPs or SGs). Stateful: replies are allowed automatically.

  2. Source and destination

    Source can be CIDR (e.g. 10.0.0.0/8) or another security group (e.g. allow from sg-xxx). Use SG as source for tier-to-tier so you do not hardcode IPs. Use 0.0.0.0/0 only when necessary (e.g. public web).

  3. Layered SGs

    Web tier SG: allow 80/443 from internet. App tier SG: allow from web tier SG. DB tier SG: allow 5432 from app tier SG. Attach the right SG(s) to each instance.

  4. Troubleshoot access

    Cannot connect: check that the instance SG allows inbound from your IP or from the correct SG. Check NACL if subnet-level block is possible. Ensure the instance is running and the service is listening.

Summary

Security groups are stateful firewall rules for instances. Add inbound rules for required ports and sources; use other SGs as source for tier-to-tier traffic. Use this to allow or restrict access to EC2 and to troubleshoot connectivity.

Prerequisites

Steps

Step 1: Inbound and outbound

Add inbound rules for ports the instance must accept; restrict outbound if required. Rely on statefulness for replies.

Step 2: Source and destination

Use CIDR or another security group as source. Prefer SG references for tier-to-tier; avoid 0.0.0.0/0 for admin ports.

Step 3: Layered SGs

Define SGs per tier (web, app, DB); allow only from the previous tier or from known CIDRs.

Step 4: Troubleshoot access

Verify instance SG allows your IP or the correct SG; check NACL and that the service is listening.

Verification

Required traffic is allowed; unnecessary ports are not open; tier-to-tier uses SG references.

Troubleshooting

Connection refused — SG may allow but the service is not listening or is on a different port. Timeout — SG or NACL blocking; or no route (e.g. no public IP, wrong route table).

Next steps

Continue to