What is AWS Security Group?
AWS Security Group Best Practice
AWS Security Groups FAQ
No. Adding security group to AWS ElastiCache cluster should not create any downtime
AWS Security Group usually abbreviated as SG
At the time of this writing (September 2020) NLB doesn’t support security group.
Yes. AWS security groups is region specific
No. You don’t need to restart your instance after security group change. Please note that if you remove rules the existing connection will not be dropped instantly since security group is stateful.
Yes, you can use CIDR notation in ingress or egress. For example to allow egress to google DNS you can use
No. AWS security groups is free
No. To change security group name, you have to create new security group with the same ingress and egress rules and swap the existing security group with the new one.
Security group application usually done instantly. But this will also depend on your internet quality when calling AWS API.
It does not allow ICMP traffic by default but you can allow ICMP traffic in security group rules.
Yes. As far as it is not being referenced by another security group.
If you directly call loopback address it will not go through security group so you don’t have to add ingress rules for localhost / loopback.
If the application need to call itself but from network address, for example in MongoDB replication set, you need to allow the security group itself on the ingress and/or egress rules.
Not directly related. You can allow specific subnet as source / destination IP range on your security group.
Security Groups is unique per VPC so you can use any security groups in any subnets.
No. Network call to loopback is not going through security groups
You can see AWS cache / Amazon ElastiCache security groups in ec2 -> Security Groups or VPC -> Security Groups.
No. Default security group is free
No. You cannot put AWS S3 bucket behind a security group. If you need to allow specific IP from AWS S3 bucket you can use S3 bucket policy.
No. You cannot put AWS S3 bucket for static site behind a security group.
In ideal condition it should be empty. No ingress and/or egress. The reason is that this security group will be attached to resource that have no security group info on creation.
If you need to have shared default security group. Create new “default” security group that contain minimalist rules as necessary.
Yes, but it has to be on a different VPC.
Yes. You can use IPv6 in AWS security group rules both ingress and egress
Yes. You can modify security group rules on a running instance. You can also attach or detach security group from an instance.
No. Both is free
You can refer to AWS ElasticSearch security group reference
Security group is a regional resource, so if you need to attach security group with the same rules on different region you have to create new security group on each region.
The security group itself is specific per VPC but you can reference security group across VPC via peering.
No. You don’t have to restart AWS instance to make effect of security group change.
Yes. You have to attach at least 1 security group in ELB (Classic Load Balancer) and ALB (Application Load Balancer)
If you want to allow AWS resource
Key pairs is used to connect to EC2 instance via SSH, or to decrypt Windows instance password.
Security groups is used as network firewall in EC2 instance, ELB / ALB, Lambda, RDS, ElastiCache, ElasticSearch and other services that support security groups.
We can set which IP / IP range and/or which resource that can access the resource via network on specific port.
No. Security group doesn’t do application inspection
Yes. AWS security groups is free
No. It’s part of EC2 service.
Yes. AWS security group is tied to a VPC.
No. You don’t need security group on NAT gateway.
The default is 5. Max is 16 (you have to request to AWS support to get this limit increased)
No. Internet gateway doesn’t have security groups.
You can use
/32 to whitelist single IP address.
1. Create the security group.
2. Add new rule with source the security group ID (
sg-12346) of the security group that just created.
Yes you can. Create new rule on the security group attached to the app instance. Create new ingress rules with port of application port and source is the security group id of the load balancer.
For the IIS itself, most likely you need to allow:
1. Ingress TCP port 80 from specific IP (or from all address – 0.0.0.0/0)
2. Ingress TCP port 443 (SSL/TLS) from specific IP (or from all address – 0.0.0.0/0)
You can use CIDR 0.0.0.0/0 to allow all traffic. You can use this CIDR for ingress and or egress rules.
No. It’s a security best practice not to use default security group. Ensure you also the ingress and egress rules for default security group is empty.
You can allow telnet ingress by creating an ingress rule with the following details:
Type: Custom TCP
Port range: 23
Source: (your IP / Security group ID)
Traffic going through the telnet is not encrypted. Please avoid using telnet to connect to a server.