Security Group
💡 Definition
An AWS Security Group acts as a virtual firewall for your EC2 instances to control inbound and outbound traffic. It operates at the instance level.
🔑 Key Concepts
- Instance Level: Controls traffic for one or more EC2 instances.
- Stateful: Automatically allows return traffic for any allowed outbound or inbound connections. You don't need to explicitly create rules for return traffic.
- Allow Rules Only: You can only specify allow rules; you cannot create deny rules.
- Egress and Ingress Rules: Separate rules for incoming (ingress) and outgoing (egress) traffic.
⚙️ How it Works
When you launch an EC2 instance, you associate one or more Security Groups with it. The Security Group rules define which network traffic is permitted to reach or leave the instance.
🎯 Use Cases
- Controlling Access to Web Servers: Allow HTTP/HTTPS traffic (ports 80, 443) from anywhere.
- Restricting Database Access: Only allow traffic on database ports (e.g., 3306 for MySQL) from specific application servers.
- SSH Access: Allowing SSH (port 22) from your IP address for administration.
💰 Pricing Model
- Free: Security Groups are a feature of AWS networking and incur no additional cost.
📝 Exam Tips (CLF-C02)
- Security Groups are stateful.
- Operate at the instance level.
- Default rule for egress is to allow all outbound traffic.
- Often compared to NACLs (Network Access Control Lists), which are stateless and operate at the subnet level.