Security Groups (VPC SG)

  1. Security Groups are virtual firewalls at the instance level
  2. SGs only ALLOW traffic so remember this as acronym SAG (security allow groups)
  3. One or more security groups can be assigned to an EC2 instance
    1. When more than one SG is assigned to an EC2, the all the rules (ALLOW) are aggregated
    2. SGs can’t be assigned to subnets or VPCs
  4. Security Groups belong to a VPC. They can’t be shared across VPCs
  5. Traffic
    1. SG rules (IOACPS)
      1. rule is either Inbound or Outbound
      2. rule can specify ALLOW  only
      3. inbound rule has a source which can be a CIDR or SG or PrefixList (list of CIDRs) outbound rule has destination CIDR/SG/PrefixList
    2. Rules will only ALLOW traffic. No DENY rules.
    3. Provide type, protocol/port (example RDP 3389, MySQL/Aurora 3306) , destination for allowed traffic  for inbound and outbound
    4. In default VPC, the default SG has two rules
      1. All inbound traffic is allowed from within the same SG (rule 1)
      2. No inbound traffic is allowed from outside (no rule)
      3. outbound traffic to all destinations (0.0.0.0/0) is ALLOWED (rule 2: All Traffic, ports, protocols ->0.0.0.0/0)
    5. When you create a new SG, one rule is automatically created
      1. No inbound traffic is allowed from outside (no rule)
      2. outbound traffic to all destinations (0.0.0.0/0) is ALLOWED
  6. SG rules are stateful (unlike Network ACL rules), meaning if a protocol (say HTTP) is allowed inbound, then when a request comes in, the corresponding reply packets are allowed outbound irrespective of outbound rules, thus maintaining state.
  7. Any changes to SGs will be effective immediately. No need to stop/start EC2
  8. A prefix list is a set of one or more CIDR blocks. There are two types of prefix lists:
  • AWS-managed prefix list — Represents the IP address ranges for an AWS service. You can reference an AWS-managed prefix list in your VPC security group rules and in subnet route table entries. For example, you can reference an AWS-managed prefix list in an outbound VPC security group rule when connecting to an AWS service through a gateway VPC endpoint. You cannot create, modify, share, or delete an AWS-managed prefix list.
  • Customer-managed prefix list — A set of IPv4 or IPv6 CIDR blocks that you define and manage. You can reference the prefix list in your VPC security group rules, subnet route table entries, and transit gateway route table entries. This enables you to manage the IP addresses that you frequently use for these resources in a single group, instead of repeatedly referencing the same IP addresses in each resource. You can share your prefix list with other AWS accounts, enabling those accounts to reference the prefix list in their own resources.

The following rules apply to customer-managed prefix lists:

  • When you create a prefix list, you must specify the maximum number of entries that the prefix list can support. You cannot modify the maximum number of entries later.
  • When you reference a prefix list in a resource, the maximum number of entries for the prefix lists counts as the same number of rules or entries for the resource. For example, if you create a prefix list with a maximum of 20 entries and you reference that prefix list in a security group rule, this counts as 20 rules for the security group.
  • You can modify a prefix list by adding or removing entries, or by changing its name.
  • A prefix list supports a single type of IP addressing only (IPv4 or IPv6). You cannot combine IPv4 and IPv6 CIDR blocks in a single prefix list.
  • There are quotas related to prefix lists. For more information, see Amazon VPC quotas.
  • When you reference a prefix list in a route table, route priority rules apply. For more information, see Route priority for prefix lists.
  • A prefix list only applies to the Region where you created it. For example, if you create a list in us-east-1, it is not available in eu-west-1.
  • You cannot reference the prefix list in your EC2 Classic security group rules.

The following rules apply to AWS-managed prefix lists:

  • You cannot create, modify, share, or delete an AWS-managed prefix list.
  • When you reference an AWS-managed prefix list in a resource, it counts as a single rule or entry for the resource.
  • You cannot view the version number of an AWS-managed prefix list.
<<< Virtual Private Clouds (VPC)Network Access Control Lists (NACL) >>>
Copyright 2005-2016 KnowledgeHills. Privacy Policy. Contact .