Understanding Amazon Security Groups - Part 2

June 2019 · 9 minutes

In my previous article, we looked at the basics of Amazon security groups, which control traffic to and from an EC2 instance. In this article, we deepen our understanding of Amazon security groups and attempt to elucidate the differences between EC2-Classic security groups and EC2-VPC security groups.

What Is Amazon VPC?

First, let’s get a quick overview of Amazon VPC. Amazon Virtual Private Cloud (Amazon VPC) enables you to launch AWS resources into a virtual network that you’ve defined. This virtual network closely resembles a traditional network — you can establish subnets, define routing tables, and create network gateways. The benefit is that you can leverage Amazon’s scalable infrastructure that is logically isolated from other virtual networks within AWS.

Your AWS account is provisioned with a default Amazon VPC and a default security group. This security group allows all inbound traffic from instances assigned to the same security group and allows all outbound traffic to any IPv4 and IPv6 address. If a specific subnet is not specified, an instance is launched into your default VPC and the default security group is associated with this instance.

It should be noted that the EC2-Classic platform was introduced in the original release of Amazon EC2. If you created your AWS account after December 4th, 2013, it does not support EC2-Classic, so you must launch your Amazon EC2 instances in a VPC. Therefore, if you are creating EC2 instances after December 4th, 2013, they are most likely being deployed to the new VPC architecture. Only when dealing with legacy infrastructure does one need to consider the differences between EC2-Classic and EC2-VPC security groups.

Nomenclature Confusion

It should be noted that the terms VPC security group and EC2 security group are used interchangeably in the Amazon documentation. This may be somewhat confusing. One could realistically assume that an EC2 security group applies to an instance, whereas a VPC security group applies to a VPC. This is not the case. A security group, whether it be referred to as an EC2 or VPC security group, acts exclusively on one or more instances. A network ACL, on the other hand, allows you to define rules similar to a security group, but can be applied to a VPC. We will look at the differences between security groups and network ACLs in a later section.

This confusing nomenclature arose from the transition from the EC2-Classic to EC2-VPC architecture. There are differences between EC2-Classic and EC2-VPC security groups (we will discuss these differences in a later section), however one should assume that when referring to security groups, they will most likely always be EC2-VPC security groups.

Going forward, I will refer to Amazon security groups simply as security groups and only use the EC2-Classic and EC2-VPC naming convention when drawing attention to differences in their functionality.

Security Group Overview

A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign up to five security groups to the instance. For each security group, you add rules that control the inbound traffic to instances, and a separate set of rules that control the outbound traffic. It is helpful to note that only EC2-VPC security groups allow you to define egress rules as well as ingress rules.

Security Group Basics

The following are the basic characteristics of security groups:

Default Security Group

Your VPC automatically comes with a default security group eponymously given the group name default. If you don’t specify a security group when you launch an EC2 instance, the instance is automatically associated with this security group.

The following table describes the default rules for the default security group:

Inbound

Source Protocol Port Range Comments
The security group ID (sg-xxxxxxxx) All All Allow inbound traffic from instances assigned to the same security group.

Outbound

Destination Protocol Port Range Comments
0.0.0.0/0 All All Allow all outbound IPv4 traffic.
::/0 All All Allow all outbound IPv6 traffic. This rule is added by default if you create a VPC with an IPv6 CIDR block or if you associate an IPv6 CIDR block with your existing VPC.

Note: You can change the rules for the default security group, however you can’t delete a default security group.

Security Group Rules

You can add or remove rules for a security group (also referred to as authorizing or revoking inbound or outbound access). A rule applies either to inbound traffic (ingress) or outbound traffic (egress).

The following are the basic characteristics of security group rules:

Inbound rules only

Outbound rules only

Example Security Group Rules

Inbound

Source Protocol Port Range Comments
0.0.0.0/0 TCP 80 Allow inbound HTTP access from all IPv4 addresses
0.0.0.0/0 TCP 443 Allow inbound HTTPS access from all IPv4 addresses
Your network’s public IPv4 address range TCP 22 Allow inbound SSH access to Linux instances from IPv4 IP addresses in your network (over the Internet gateway)
Your network’s public IPv4 address range TCP 3389 Allow inbound RDP access to Windows instances from IPv4 IP addresses in your network (over the Internet gateway)

Outbound

Destination Protocol Port Range Comments
The ID of the security group for your MySQL database servers TCP 3306 Allow outbound MySQL access to instances in the specified security group

For examples of security group rules for specific kinds of access, see Security Group Rules Reference.

Differences Between EC2-Classic and EC2-VPC Security Groups

Characteristic EC2-Classic Default VPC Nondefault VPC
Security group A security group can reference security groups that belong to other AWS accounts. A security group can reference security groups for your VPC only. A security group can reference security groups for your VPC only.
Security group association You can assign an unlimited number of security groups to an instance when you launch it, however you can’t change the security groups of your running instance. You can assign up to 5 security groups to an instance. You can assign security groups to your instance when you launch it and while it’s running. You can assign up to 5 security groups to an instance. You can assign security groups to your instance when you launch it and while it’s running.
Security group rules You can add rules for inbound traffic only. You can add rules for inbound and outbound traffic. You can add rules for inbound and outbound traffic.

Comparison of Security Groups and Network ACLs

The following table summarizes the basic differences between security groups and network ACLs.

Security Group Network ACL
Operates at the instance level Operates at the subnet level
Supports allow rules only Supports allow rules and deny rules
Is stateful: Return traffic is automatically allowed, regardless of any rules Is stateless: Return traffic must be explicitly allowed by rules
We evaluate all rules before deciding whether to allow traffic We process rules in number order when deciding whether to allow traffic
Applies to an instance only if someone specifies the security group when launching the instance, or associates the security group with the instance later on Automatically applies to all instances in the subnets it’s associated with (therefore, you don’t have to rely on users to specify the security group)

Example CloudFormation Security Group

The following CloudFormation template defines a security group that allows all inbound HTTP and HTTPS traffic from any IPv4 address or IPv6 address:

EC2SecurityGroup:
  Type: AWS::EC2::SecurityGroup
  Properties:
    GroupName: !Sub '${AWS::StackName}-sg'
    SecurityGroupIngress:
      - !Ref EC2SecurityGroupIngressHttp
      - !Ref EC2SecurityGroupIngressHttps
    VpcId: !Ref VpcId

EC2SecurityGroupIngressHttp:
  Type: AWS::EC2::SecurityGroupIngress
  Properties:
    CidrIp: 0.0.0.0/0
    CidrIpv6: ::/0
    Description: Allow HTTP access
    FromPort: 80
    GroupId: !GetAtt EC2SecurityGroup.GroupId
    IpProtocol: 6
    ToPort: 80

EC2SecurityGroupIngressHttps:
  Type: AWS::EC2::SecurityGroupIngress
  Properties:
    CidrIp: 0.0.0.0/0
    CidrIpv6: ::/0
    Description: Allow HTTP access
    FromPort: 443
    GroupId: !GetAtt EC2SecurityGroup.GroupId
    IpProtocol: 6
    ToPort: 443

Note: If you are deploying an EC2 instance to a VPC and you do not specify a VpcId, the security group is added to the default Amazon VPC for your account.