Skip to content

Security Groups Inside AWS

Application Based Stickyness in ALB in AWS

A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. It controls the traffic that is allowed to reach and leave the VPC that it is associated with.

When you create a VPC, it comes with a default security group. You can create additional security groups for a VPC, each with their own inbound and outbound rules. You can specify the source, port range, and protocol for each inbound rule. You can specify the destination, port range, and protocol for each outbound rule.

The following diagram shows a VPC with a subnet, an internet gateway, and a security group. The subnet contains an EC2 instance. The security group is assigned to the instance. The security group acts as a virtual firewall. The only traffic that reaches the instance is the traffic allowed by the security group rules. For example, if the security group contains a rule that allows ICMP traffic to the instance from your network, then you could ping the instance from your computer. If the security group does not contain a rule that allows SSH traffic, then you could not connect to your instance using SSH.


			A VPC with a security group. The EC2 instance in the subnet is associated
				with the security group.

Security group basics

  • A security group name must be unique within the VPC. You can assign a security group only to resources created in the same VPC as the security group. You can assign multiple security groups to a resource.
  • Security groups are stateful. For example, if you send a request from an instance, the response traffic for that request is allowed to reach the instance regardless of the inbound security group rules. Responses to allowed inbound traffic are allowed to leave the instance, regardless of the outbound rules.

Security group example

The following diagram shows a VPC with two security groups and two subnets. The instances in subnet A have the same connectivity requirements, so they are associated with security group 1. The instances in subnet B have the same connectivity requirements, so they are associated with security group 2. The security group rules allow traffic as follows:

  • The first inbound rule in security group 1 allows SSH traffic to the instances in subnet A from the specified address range (for example, a range in your own network).
  • The second inbound rule in security group 1 allows the instances in subnet A to communicate with each other using any protocol and port.
  • The first inbound rule in security group 2 allows the instances in subnet B to communicate with each other using any protocol and port.
  • The second inbound rule in security group 2 allows the instances in subnet A to communicate with the instances in subnet B using SSH.
  • Both security groups use the default outbound rule, which allows all traffic.

    			A VPC with two security groups and servers in two subnets. The servers in
    				subnet A are associated with security group 1. The servers in subnet B are
    				associated with security group 2.

Click Here to Learn about Network Access Control List (NACL) inside AWS