Security Group

instance level firewall

Overview

• a virtual firewall, that controls incomming & outgoing traffic for your cloud resources: servers, databases.

Properties

• Can only be used inside the VPC/region that you specify when you create the SG.

• Can be attached to MULTIPLE intances.

• You can only specify ALLOW rules, not deny rules.

• By default

  • Allow all outbound

  • Deny all inbound

• Because when you create a SG, by default

  • Has 1 outbound rule that allows all outbound

  • No inbound rule.

vs. NACL

	Security Group	NACL
level	instance level	subnet level
state	statefull	stateless
rule	only support Allow rule	support both Allow & Deny rules
default	- deny all inbound - allow all outbound	allow all in/outbound traffic
evaluate	all the rule before deciding	proceed by pritority number, start from 100..

Trivia

• 1 instance has max 5 Security groups.

• 1 SG has maximum 60 inbound rules, and 60 outbound rules.

• 1 SG can be attached to many EC2 instances.