In this blog, we will delve into the crucial role of security groups in AWS EC2 instances.Security groups provide the function of virtual firewalls, that is, they regulate the traffic that is coming into and going out of your instances. It is possible to establish robust network security by efficiently creating security groups. This will secure your resources from being accessed by unauthorized individuals while simultaneously ensuring seamless connectivity. To offer you with a comprehensive overview of how to configure, maintain, and optimize security groups for your EC2 instances, this article will provide you with guidance.
What is Security groups in AWS EC2 instances
Security Groups are stateful firewalls that control traffic at the instance level. They are associated with EC2 instances to regulate access.
By default, Security Groups deny all inbound traffic and allow all outbound traffic. Note that You can have 60 security groups per inbound and outbound traffic.
Inbound Rules
- Purpose: To control which incoming traffic is allowed to reach your EC2 instances.
- Configuration: Inbound rules are defined by specifying:
- Protocol: The type of network traffic (e.g., TCP, UDP, ICMP).
- Port Range: The port or range of ports the rule applies to (e.g., port 80 for HTTP).
- Source: The IP address or CIDR block from which the traffic is allowed, or another Security Group.
- Example:
- Allow incoming HTTP traffic on port 80 from any IP address.
- Allow incoming SSH traffic on port 22 from a specific IP address (e.g., your home or office).
| Rule Description | Protocol | Port Range | Source | Purpose |
| Allow HTTP Traffic | TCP | 80 | 0.0.0.0/0 | Allow web traffic from any IP address |
| Allow HTTPS Traffic | TCP | 443 | 0.0.0.0/0 | Allow secure web traffic from any IP address |
| Allow SSH Access | TCP | 22 | [Your IP]/32 | Allow SSH access from a specific IP address |
| Allow MySQL Access | TCP | 3306 | Security Group ID | Allow MySQL traffic from specific instances |
| Allow ICMP Traffic | ICMP | N/A | 0.0.0.0/0 | Allow ping requests from any IP address |
| Allow RDP Access | TCP | 3389 | [Your IP]/32 | Allow RDP access from a specific IP address |
Outbound Rules
- Purpose: To control which outgoing traffic is allowed from your EC2 instances.
- Configuration: Outbound rules are defined by specifying:
- Protocol: The type of network traffic.
- Port Range: The port or range of ports the rule applies to.
- Destination: The IP address or CIDR block to which the traffic is allowed, or another Security Group.
- Example:
- Allow all outgoing traffic (default rule in many Security Groups).
- Restrict outgoing traffic to only specific ports or destinations, such as allowing traffic only to a specific database or API endpoint.
| Rule Description | Protocol | Port Range | Destination | Purpose |
| Allow All Outbound Traffic | All | All | 0.0.0.0/0 | Allow all outbound traffic to any destination |
| Allow HTTPS Traffic | TCP | 443 | 0.0.0.0/0 | Allow secure web requests to any IP address |
| Allow SSH Traffic to a Specific IP | TCP | 22 | [Management Server IP]/32 | Allow SSH connections to a specific IP |
| Allow MySQL Traffic to a Specific DB Server | TCP | 3306 | [Database Server IP]/32 | Allow MySQL traffic to a specific DB server |
| Allow DNS Traffic | UDP | 53 | 0.0.0.0/0 | Allow DNS queries to any IP address |
| Allow Custom Application Traffic | TCP | 8080 | [Service IP]/32 | Allow custom app traffic to a specific service |
CIDR
CIDR (Classless Inter-Domain Routing) blocks are a method for allocating IP addresses and routing IP packets. CIDR allows for more flexible and efficient allocation of IP addresses compared to the traditional class-based system.
In AWS, CIDR blocks are used extensively in configuring Virtual Private Clouds (VPCs), subnets, and security group rules.
VPC and Subnet CIDR Blocks
- VPC CIDR Block:
- When creating a VPC, you assign a primary CIDR block to define the range of IP addresses available within the VPC.
- Example: 10.0.0.0/16 gives a range of 10.0.0.0 to 10.0.255.255.
- Subnet CIDR Block:
- Within a VPC, you divide the CIDR block into smaller subnets.
- Example: Within a VPC with CIDR 10.0.0.0/16, you could create subnets like 10.0.1.0/24, 10.0.2.0/24, etc.
Security Group Rules
When defining security group rules, you specify CIDR blocks to control which IP ranges are allowed to connect to your EC2 instances.
- Inbound Rule Example:
- Allow SSH access from a specific IP address.
- Rule Configuration:
- Protocol: TCP
- Port Range: 22
- Source: 203.0.113.1/32 (a single IP address)
- Outbound Rule Example:
- Allow HTTP traffic to any IP address.
- Rule Configuration:
- Protocol: TCP
- Port Range: 80
- Destination: 0.0.0.0/0 (any IP address)
Steps to configure Security groups in AWS EC2 instance
After creating an EC2 instances.
In the navigation pane, click on Security Groups under the Network & Security section.
You can go to the Security groups to configure your network access settings. Security groups act as virtual firewalls that control the traffic to and from your instance.
You can either select an existing security group or create a new one by clicking on Create Security Group. In our case, i am configuring existing security group.
First of all you have to configure the inbound rules.
You can do the below configuration the types of traffic that I am allowing are SSH, HTTPS and HTTP.
In SSH the source is My IP, HTTPS and HTTP the source is anywhere. And click on Save rules.
Now you have successfully configure the inbound rules.
Next you can configure the outbound rules.
The source types is All traffic and HTTPS and click on Save rules.
Now you have successfully configured the outbound rules.
Conclusion
In conclusion, configuring security groups for your AWS EC2 instances is essential for managing network access and ensuring robust security. By carefully setting inbound and outbound rules, you can protect your instances while maintaining necessary connectivity and functionality.
If you like this blog, you can share it with your friends or colleague. You can connect with me on social media profiles like LinkedIn, Twitter, and Instagram.
🔔 Follow Me: LinkedIn| Youtube | Instagram | Twitter
👏 Like for this article and subscribe to our newsletter
📰 View more content on my DataSpoof website
