A security group acts as a virtual firewall that controls the traffic for one or more instances. When you launch an instance, you associate one or more security groups with the instance. To decide whether to allow traffic to reach an instance, AWS evaluate all the rules from all the security groups that are associated with the instance.
Security groups are not just limited to EC2, but can be used with other services such as RDS.
Security Groups and EC2
-
You can modify the rules for a security group at any time; the new rules are automatically applied to all instances that are associated with the security group.
-
Any change of rules within Security Groups will be immediately reflected.
-
All inbound traffic are blocked by default and need to explicitly allowed in a rule; cannot explicitly deny. For instance, we cannot deny an IP address, however, we can do that using access control lists instead.
-
Default security group will allow all traffic from itself (source is itself).
-
All outbond traffic is allowed.
-
Security groups are stateful: if you create an inbound rule (e.g. HTTP), that traffic is also allowed back. (Vs Network Access Control Lists, which are Stateless)
-
Can attach multiple security groups to a single EC2 instance. Can have multiple EC2 instances within a security group.
- heartin's blog
- Log in or register to post comments
Recent comments