DevOps

Security Group

instance level firewall

Overview

  • a virtual firewall, that controls incomming & outgoing traffic for your cloud resources: servers, databases.

Properties

  • Can only be used inside the VPC/region that you specify when you create the SG.

  • Can be attached to MULTIPLE intances.

  • You can only specify ALLOW rules, not deny rules.

  • By default

    • Allow all outbound

    • Deny all inbound

  • Because when you create a SG, by default

    • Has 1 outbound rule that allows all outbound

    • No inbound rule.

vs. NACL

Security Group

NACL

level

instance level

subnet level

state

statefull

stateless

rule

only support Allow rule

support both Allow & Deny rules

default

- deny all inbound - allow all outbound

allow all in/outbound traffic

evaluate

all the rule before deciding

proceed by pritority number, start from 100..

Trivia

  • 1 instance has max 5 Security groups.

  • 1 SG has maximum 60 inbound rules, and 60 outbound rules.

  • 1 SG can be attached to many EC2 instances.

PreviousGlobal acceleratorNextEBS

Last updated