# Security Group

## Overview

* a virtual firewall, that controls incomming & outgoing traffic for your cloud resources: servers, databases.

## Properties

* Can only be used inside the VPC/region that you `specify` when you create the SG.
* Can be attached to `MULTIPLE` intances.
* You `can only` specify **ALLOW** rules, not deny rules.
* By default
  * Allow all outbound
  * Deny all inbound
* Because when you create a SG, by default
  * Has 1 outbound rule that allows all outbound
  * No inbound rule.

## vs. NACL

|             | **Security Group**                                | **NACL**                                      |
| ----------- | ------------------------------------------------- | --------------------------------------------- |
| level       | instance level                                    | subnet level                                  |
| state       | statefull                                         | stateless                                     |
| rule        | only support `Allow` rule                         | support both `Allow` & `Deny` rules           |
| **default** | <p>- deny all inbound<br>- allow all outbound</p> | allow all in/outbound traffic                 |
| evaluate    | all the rule before deciding                      | proceed by pritority number, start from 100.. |

## Trivia

* 1 instance has max 5 Security groups.
* 1 SG has maximum 60 inbound rules, and 60 outbound rules.
* 1 SG can be attached to many EC2 instances.