Amazon Virtual Private Cloud
User Guide (API Version 2014-06-15)
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.Did this page help you?  Yes | No |  Tell us about it...

Security Groups for Your VPC

A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign the instance to up to five security groups. Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC could be assigned to a different set of security groups. If you don't specify a particular group at launch time, the instance is automatically assigned to the default security group for the VPC.

For each security group, you add rules that control the inbound traffic to instances, and a separate set of rules that control the outbound traffic. This section describes the basics things you need to know about security groups for your VPC and their rules.

You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC. For more information about the differences between security groups and network ACLs, see Comparison of Security Groups and Network ACLs.

Security Group Basics

The following are the basic characteristics of security groups for your VPC:

  • You can create up to 100 security groups per VPC. You can add up to 50 rules to each security group. If you need to apply more than 50 rules to an instance, you can associate up to 5 security groups with each network interface.

  • You can specify allow rules, but not deny rules.

  • You can specify separate rules for inbound and outbound traffic.

  • By default, no inbound traffic is allowed until you add inbound rules to the security group.

  • By default, all outbound traffic is allowed until you add outbound rules to the group (and then, you specify the outbound traffic that's allowed).

  • Responses to allowed inbound traffic are allowed to flow outbound regardless of outbound rules, and vice versa (security groups are therefore stateful).

  • Instances associated with a security group can't talk to each other unless you add rules allowing it (exception: the default security group has these rules by default).

  • After you launch an instance, you can change which security groups the instance is associated with.

For information about increasing the limits related to security groups, see Amazon VPC Limits.

Default Security Group for Your VPC

Your VPC automatically comes with a default security group. Each EC2 instance that you launch in your VPC is automatically associated with the default security group if you don't specify a different security group when you launch the instance.

The following table describes the default rules for a default security group.

Inbound
Source Protocol Port Range Comments

The security group ID (sg-xxxxxxxx)

All

All

Allow inbound traffic from instances assigned to the same security group

Outbound

Destination Protocol Port Range Comments

0.0.0.0/0

All

All

Allow all outbound traffic

You can change the rules for the default security group.

Security Group Rules

You can add or remove rules for a security group (also referred to as authorizing or revoking inbound or outbound access). A rule applies either to inbound traffic (ingress) or outbound traffic (egress). You can grant access to a specific CIDR range, or to another security group in your VPC.

The following are the basic parts of a security group rule:

  • (Inbound rules only) The source of the traffic (CIDR range or security group) and the destination port or port range

  • (Outbound rules only) The destination for the traffic (CIDR range or security group) and the destination port or port range

  • Any protocol that has a standard protocol number (for a list, see Protocol Numbers)

    If you specify ICMP as the protocol, you can specify any or all of the ICMP types and codes

When you specify a security group as the source for a rule, this allows instances associated with the source security group to access instances in the security group. (Note that this does not add rules from the source security group to this security group.)

When you add or remove rules, they are automatically applied to all instances associated with the security group.

Some systems for setting up firewalls let you filter on source ports. Security groups let you filter only on destination ports.

The following table describes example rules for a security group for web servers. The web servers can receive HTTP and HTTPS traffic, and send SQL or MySQL traffic to a database server.

Inbound
Source Protocol Port Range Comments

0.0.0.0/0

TCP

80

Allow inbound HTTP access from anywhere

0.0.0.0/0

TCP

443

Allow inbound HTTPS access from anywhere

Your network's public IP address range

TCP

22

Allow inbound SSH access to Linux instances from your network (over the Internet gateway)

Your network's public IP address range

TCP

3389

Allow inbound RDP access to Windows instances from your network (over the Internet gateway)

Outbound

Destination Protocol Port Range Comments

The ID of the security group for your database servers

TCP

1433

Allow outbound Microsoft SQL Server access to instances in the specified security group

The ID of the security group for your MySQL database servers

TCP

3306

Allow outbound MySQL access to instances in the specified security group

For step-by-step directions for creating security groups for web servers and database servers, see Recommended Security Groups.

Differences Between Security Groups for EC2-Classic and EC2-VPC

If you're already an Amazon EC2 user, you're probably familiar with security groups. However, you can't use the security groups that you've created for use with EC2-Classic with instances in your VPC. You must create security groups specifically for use with instances in your VPC. The rules you create for use with a security group for a VPC can't reference a security group for EC2-Classic, and vice versa.

The following table summarizes the differences between security groups for use with EC2-Classic and those for use with EC2-VPC.

EC2-ClassicEC2-VPC

You can create up to 500 security groups per region.

You can create up to 100 security groups per VPC.

You can add up to 100 rules to a security group.

You can add up to 50 rules to a security group.

You can add rules for inbound traffic only.

You can add rules for inbound and outbound traffic.

You can assign an unlimited number of security groups to an instance.

You can assign up to 5 security groups to an instance.

You can reference security groups from other AWS accounts.

You can reference security groups for your VPC only.

After you launch an instance, you can't change the security groups assigned to it.

You can change the security groups assigned to an instance after it's launched.

When you add a rule to a security group, you don't have to specify a protocol, and only TCP, UDP, or ICMP are available.

When you add a rule to a security group, you must specify a protocol, and it can be any protocol with a standard protocol number, or all protocols (see Protocol Numbers).

When you add a rule to a security group, you must specify port numbers (for TCP or UDP).

When you add a rule to a security group, you can specify port numbers only if the rule is for TCP or UDP, and you can specify all port numbers.

Working with Security Groups

This section shows you how to work with security groups using the AWS Management Console.

Modifying the Default Security Group

Your VPC includes a default security group whose initial rules are to deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances in the group. You can't delete this group; however, you can change the group's rules. The procedure is the same as modifying any other security group. For more information, see Adding and Removing Rules.

Creating a Security Group

Although you can use the default security group for your instances, you might want to create your own groups to reflect the different roles that instances play in your system.

To create a security group

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, click Security Groups.

  3. Click the Create Security Group button.

  4. Enter a name of the security group (for example, my-security-group) and provide a description. Select the ID of your VPC from the VPC menu, and then click Yes, Create.

By default, new security groups start with only an outbound rule that allows all traffic to leave the instances. You must add rules to enable any inbound traffic or to restrict the outbound traffic.

Adding and Removing Rules

When you add or remove a rule, any instances already assigned to the security group are subject to the change. You can't modify rules; you can only add and delete rules.

Several of the scenarios presented in this guide include instructions for adding rules to security groups. For an example, see Recommended Security Groups.

To add a rule

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, click Security Groups.

  3. Select the security group to update. The details pane displays the details for the security group, plus tabs for working with its inbound rules and outbound rules.

  4. On the Inbound Rules tab, click Edit. Select an option for a rule for inbound traffic from the Type list, and then fill in the required information. For example, select HTTP or HTTPS and specify the Source as 0.0.0.0/0. Click Save when you are done.

  5. You can also allow communication between all instances associated with this security group. On the Inbound Rules tab, select All Traffic from the Type list. Start typing the ID of the security group in the Source field; this provides you with a list of security groups. Select the security group from the list, and then click Save.

  6. If you need to, you can use the Outbound Rules tab to add rules for outbound traffic.

To delete a rule

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, click Security Groups.

  3. Select the security group to update. The details pane displays the details for the security group, plus tabs for working with its inbound rules and outbound rules.

  4. Click Edit, and then click the Remove button for rule you want to delete. Click Save when you're done.

Changing an Instance's Security Groups

You can change the security groups that an instance in a VPC is assigned to after the instance is launched. When you make this change, the instance can be either running or stopped.

To change an instance's security groups

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. Click Instances in the navigation pane.

  3. Right-click the instance, and then select Change Security Groups.

  4. In the Change Security Groups dialog box, select one or more security groups from the list, and then click Assign Security Groups.

Deleting a Security Group

You can delete a security group only if there are no instances assigned to it (either running or stopped). You can assign the instances to another security group before you delete the security group (see Changing an Instance's Security Groups).

To delete a security group

  1. Open the Amazon VPC console.

  2. Click Security Groups in the navigation pane.

  3. Select the security group, and then click Delete.

  4. In the Delete Security Group dialog box, click Yes, Delete.

Deleting the 2009-07-15-default Security Group

Any VPC created using an API version older than 2011-01-01 has the 2009-07-15-default security group. This security group exists in addition to the regular default security group that comes with every VPC. You can't attach an Internet gateway to a VPC that has the 2009-07-15-default security group. Therefore, you must delete this security group before you can attach an Internet gateway to the VPC.

Note

If you assigned this security group to any instances, you must assign these instances a different security group before you can delete the security group.

To delete the 2009-07-15-default security group

  1. Ensure that this security group is not assigned to any instances.

    1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

    2. In the navigation pane, click Network Interfaces.

    3. Select the network interface for the instance from the list, and then select Change Security Groups from the Actions list.

    4. In the Change Security Groups dialog box, select a new security group from the list, and then click Save.

      Tip

      When changing an instance's security group, you can select multiple groups from the list. The security groups that you select replace the current security groups for the instance.

    5. Repeat the preceding steps for each instance.

  2. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  3. In the navigation pane, click Security Groups.

  4. Select the 2009-07-15-default security group, and then click the Delete button.

  5. In the Delete Security Group dialog box, click Yes, Delete.

API and Command Overview

You can perform the tasks described on this page using the command line or an API. For more information about the command line interfaces and a list of available APIs, see Accessing Amazon VPC.

Create a security group

Add a rule to a security group

Describe one or more security groups

Modify the security groups for an instance

Remove a rule from a security group

Delete a security group