• Home
  • AWS security groups

Amazon Web Services: Virtual Private Cloud security groups

What are security groups in Virtual Private Cloud?

A security group is like a virtual firewall. It works much like a traditional firewall does.

It consists of a set of rules that can be used to monitor and filter an instance's incoming and outgoing traffic in a Virtual Private Cloud (VPC) instance. Filtering is done on the basis of protocols and ports.

An instance can be assigned with a maximum of five security groups. Unlike network access control lists (ACLs), which operate at the subnet level, security groups operate at the instance level. Therefore, it's not necessary to assign the same set of security groups to every instance in a subnet. Every instance is allowed to have a different set of security groups.

On top of this, security groups can be assigned to multiple instances.

Highlights of AWS security group

  • Security groups are permissive. You cannot have a rule to deny access.
  • They are stateful. Irrespective of the inbound rules, if you send a request from your instance, the response traffic for that request will be automatically allowed. For VPC security groups, the responses to allowed inbound traffic can leave the instance irrespective of outbound rules.
  • By default, they allow all outbound traffic.By default, they allow all outbound traffic.
  • Every VPC includes a default security group.

Default security groups

Every VPC includes a default security group. If you do not specify a security group while launching an instance, the default security group will be assigned to it.

However, at anytime, you can define a new security group using the Amazon EC2 console.

The default security group comes with the following built-in rules:

  • The inbound traffic coming from instances associated with the default security group will be allowed.
  • All outbound traffic originating from the instance is allowed.

Nevertheless, you can modify the default security group’s rules.

The default security group cannot be deleted. If you attempt to delete it, the following error will be displayed:

Client.CannotDelete: the specified group: "sg-51320848" name: "default" cannot be deleted by a user.

What are security group rules?

Every security group consists of a set of rules. The security group examines all of its rules before allowing any traffic to enter or leave the instance. The rules that are used to control the inbound traffic are independent of the rules that are used to control the outbound traffic.

When a new security group is created, initially all inbound traffic is restricted and outbound traffic is allowed. Therefore, you need to add rules to the group to permit incoming traffic and to apply restrictions on the outbound traffic.

There is a limit, known as VPC quotas, on the number of rules that can be created for a security group. A security group can have a maximum of 120 rules. Out of the 120 rules, 60 rules are inbound rules and 60 rules are outbound rules. The limit of 120 rules is imposed separately for IPv4 and IPv6 rules. This means a security group can have 60 inbound rules and 60 outbound rules for IPv4 traffic and 60 inbound rules and 60 outbound rules for IPv6 traffic.

Since an instance can have multiple security groups associated with it, all the rules from each security group associated with the instance are combined together to form a single set of rules. This set of rules is used to determine whether the traffic should be denied or allowed into the instance.

For every security rule that you add to the security group, you need to specify the values for the following six fields:

  • Type: Indicates the protocol type. Select the required protocol, say HTTP or SSH, from the drop-down list. Custom protocols are also included in the list.
  • Protocol: This is usually covered by Type. So this field will be greyed out. However, if you had created a custom rule, you can state a protocol, like TCP or UDP for example
  • Port Range: This value will be filled automatically depending upon the default port or port range of the protocol you chose. You can also use custom ports if you'd like.
  • ICMP Type and Code.
  • Source (inbound rules) or Destination (outbound rules): You can specify a particular IP Address, an AWS security group, or a subnet.

Note: If you specify as the IP Address, anyone will be able to access the instance.

Source/Destination Convention to be followed
IPv4 Address /32 prefix length used.
For example:
IPv6 Address /128 prefix length used.
For example: 2001:db8:4567:1a00::123/128.
Range of IPv4 Addresses For example:
Range of IPv6 Addresses For example: 2001:db8:4343:1a00::/64
Prefix List ID For example: pl-1212abc1212abc121
Prefix List ID Current security group, different security group in the same VPC, different security group in a VPC peering connection
  • Description: You can include a description for the rule. The convention for this is the same as the one for security group description.

It's also important to note that only rules to allow traffic can be defined in the security group. Rules to deny traffic cannot be defined.

Creating and managing security groups

The following steps will guide you through the entire process of creating and managing a security group as well as the security group rules.

How to create a security group using the AWS Management Console 

Every new instance comes with a default security group. However, Amazon VPC also provides you with the option to create your own security groups.

Step 1: Click on Security Groups under SECURITY on the navigation pane after opening the Amazon VPC console (a list of security groups will be displayed if you've already created some).
Vpc security groups
Step 2: Click the Create security group button at the top right-hand corner of the screen.
Vpc security group
Step 3: You will have to provide a name for your security group as well as a description. Then select the appropriate VPC ID.
Amazon security group
Step 4: You can either add security group rules now or after creating the security group.
Amazon vpc security group
Step 5: Click the Create security group button at the bottom-right corner of the screen.
Amazon vpc security
Step 6: A security group will be created successfully.
Aws security group

You can also create a security group by employing the command line.

Conventions for naming and providing a description for a security group  
How to change the security groups associated with an instance 
How to delete a security group from a VPC 
How to view the list of all security groups 
How to create a copy of a security group 

How to manage and modify rules in a security group

Any addition or modification of the rules of a security group will be applied to all instances linked to that particular security group.

By default, a new security group by default consists of a single outbound rule that permits all outbound traffic. In order to permit only certain outbound traffic to leave your instance, you can remove this rule and add specific outbound rules that restrict the traffic. The below steps will guide you to add and modify rules in a security group.

Adding a rule to the security group using VPC Console 
Deleting a rule in the security group using the VPC Console 
Modifying a rule in the security group using the VPC Console  

Stale security groups

When a security group rule is referencing another security group in a peer VPC, if the referenced security group is deleted or if the peer connection has been deleted, the security group rule becomes obsolete. Such rules are known as stale security group rules. They will not be deleted automatically and have to be deleted manually.

Deleting or modifying a stale rule in a security group using the VPC Console:

Step 1: Click Security Groups under Security on the navigation pane after opening the Amazon VPC Console.
Amazon security group
Step 2: There will be a notification icon at the top of the screen stating that you have new stale security group rules. Click Manage state rules.
Amazon vpc security group
Step 3: The stale rule can be deleted or modified by clicking Edit.
Amazon vpc security
Step 4: You can make changes to the stale rule. Click Save changes after modifying the stale rule.
Vpc security groups
Step 5: If you want to delete the rule, click Delete. Click Delete all to delete all the stale rules.
Vpc security group

If another peer connection is established between the same VPCs after deletion of the original peer connection, the security group rules will no longer be stale.

Products mentioned on this page:

Recently added chapters


Get the latest content delivered
right to your inbox!




  Zoho Corporation Pvt. Ltd. All rights reserved.