📖 What is Amazon VPC Security Groups?
Amazon VPC Security Groups act as a virtual firewall for your EC2 instances to control inbound and outbound traffic. They operate at the instance level and are stateful, meaning return traffic is automatically allowed regardless of inbound rules.
"Remember that Security Groups are stateful and only allow "Allow" rules; you cannot explicitly "Deny" a specific IP address here."
📚 Certification: AWS Certified Cloud Practitioner (CLF-C02)
🔑 What are the Key Concepts of Amazon VPC Security Groups?
- ▸ Stateful operation ensures that if an inbound request is allowed, the outbound response is automatically permitted, regardless of outbound rule configurations.
- ▸ Security groups operate at the instance level, acting as a virtual firewall for individual EC2 instances rather than the entire subnet.
- ▸ They utilize a 'whitelist' model, meaning only explicit 'Allow' rules are permitted; there is no option to create an explicit 'Deny' rule.
- ▸ Rules are defined by protocol, port range, and source/destination, allowing traffic from specific IP ranges or other security group IDs.
- ▸ An EC2 instance can be associated with multiple security groups, and the rules from all associated groups are aggregated to determine access.
🎯 How does Amazon VPC Security Groups appear on the CLF-C02 Exam?
You may be asked to identify the correct mechanism to allow HTTP and HTTPS traffic to a web server while blocking all other incoming ports.
A scenario might describe a need to block a specific malicious IP address from accessing a subnet, requiring you to distinguish between Security Groups and Network ACLs.
Expect questions where you must determine if return traffic is allowed for a connection that was initiated from outside the VPC via a security group.
❓ Frequently Asked Questions
What happens if I don't add any rules to a new security group?
By default, a new security group allows no inbound traffic and allows all outbound traffic. You must explicitly add allow rules for any incoming requests to reach your instance.
Can I use a security group to block a specific IP address?
No, security groups only support 'Allow' rules. To explicitly deny or block a specific IP address, you must use a Network Access Control List (NACL) at the subnet level.
Why would I reference another security group as a source instead of an IP range?
Referencing a security group allows instances to communicate based on their membership in a group, simplifying management as instances scale without needing to manually update IP lists.