Menu
Amazon Virtual Private Cloud
User Guide

Security Groups for Your VPC

A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign the instance to up to five security groups. Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC could be assigned to a different set of security groups. If you don't specify a particular group at launch time, the instance is automatically assigned to the default security group for the VPC.

For each security group, you add rules that control the inbound traffic to instances, and a separate set of rules that control the outbound traffic. This section describes the basics things you need to know about security groups for your VPC and their rules.

You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC. For more information about the differences between security groups and network ACLs, see Comparison of Security Groups and Network ACLs.

Security Group Basics

The following are the basic characteristics of security groups for your VPC:

  • You have limits on the number of security groups that you can create per VPC, the number of rules that you can add to each security group, and the number of security groups you can associate with a network interface. For more information, see Amazon VPC Limits.

  • You can specify allow rules, but not deny rules.

  • You can specify separate rules for inbound and outbound traffic.

  • By default, no inbound traffic is allowed until you add inbound rules to the security group.

  • By default, an outbound rule allows all outbound traffic. You can remove the rule and add outbound rules that allow specific outbound traffic only.

  • Security groups are stateful — if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. Responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules.

    Note

    Some types of traffic are tracked differently to others. For more information, see Connection Tracking in the Amazon EC2 User Guide for Linux Instances.

  • Instances associated with a security group can't talk to each other unless you add rules allowing it (exception: the default security group has these rules by default).

  • Security groups are associated with network interfaces. After you launch an instance, you can change the security groups associated with the instance, which changes the security groups associated with the primary network interface (eth0). You can also change the security groups associated with any other network interface. For more information about network interfaces, see Elastic Network Interfaces.

Default Security Group for Your VPC

Your VPC automatically comes with a default security group. Each EC2 instance that you launch in your VPC is automatically associated with the default security group if you don't specify a different security group when you launch the instance.

The following table describes the default rules for a default security group.

Inbound
Source Protocol Port Range Comments

The security group ID (sg-xxxxxxxx)

All

All

Allow inbound traffic from instances assigned to the same security group.

Outbound

Destination Protocol Port Range Comments

0.0.0.0/0

All

All

Allow all outbound IPv4 traffic.

::/0AllAllAllow all outbound IPv6 traffic. This rule is added by default if you create a VPC with an IPv6 CIDR block or if you associate an IPv6 CIDR block with your existing VPC.

You can change the rules for the default security group.

You can't delete a default security group. If you try to delete the default security group, you'll get the following error: Client.CannotDelete: the specified group: "sg-51530134" name: "default" cannot be deleted by a user.

Note

If you've modified the outbound rules for your security group, we do not automatically add an outbound rule for IPv6 traffic when you associate an IPv6 block with your VPC.

Security Group Rules

You can add or remove rules for a security group (also referred to as authorizing or revoking inbound or outbound access). A rule applies either to inbound traffic (ingress) or outbound traffic (egress). You can grant access to a specific CIDR range, or to another security group in your VPC or in a peer VPC (requires a VPC peering connection).

The following are the basic parts of a security group rule in a VPC:

  • (Inbound rules only) The source of the traffic and the destination port or port range. The source can be another security group, an IPv4 or IPv6 CIDR block, or a single IPv4 or IPv6 address.

  • (Outbound rules only) The destination for the traffic and the destination port or port range. The destination can be another security group, an IPv4 or IPv6 CIDR block, or a single IPv4 or IPv6 address.

  • Any protocol that has a standard protocol number (for a list, see Protocol Numbers). If you specify ICMP as the protocol, you can specify any or all of the ICMP types and codes.

When you specify a security group as the source for a rule, this allows instances associated with the source security group to access instances in the security group. (Note that this does not add rules from the source security group to this security group.)

If you specify a single IPv4 address, use the /32 prefix. If you specify a single IPv6 address, specify the /128 prefix length.

Some systems for setting up firewalls let you filter on source ports. Security groups let you filter only on destination ports.

When you add or remove rules, they are automatically applied to all instances associated with the security group.

The kind of rules you add may depend on the purpose of the instance. The following table describes example rules for a security group for web servers. The web servers can receive HTTP and HTTPS traffic from all IPv4 and IPv6 addresses, and send SQL or MySQL traffic to a database server.

Inbound
Source Protocol Port Range Comments

0.0.0.0/0

TCP

80

Allow inbound HTTP access from all IPv4 addresses

::/0TCP80Allow inbound HTTP access from all IPv6 addresses

0.0.0.0/0

TCP

443

Allow inbound HTTPS access from all IPv4 addresses

::/0TCP443Allow inbound HTTPS access from all IPv6 addresses

Your network's public IPv4 address range

TCP

22

Allow inbound SSH access to Linux instances from IPv4 IP addresses in your network (over the Internet gateway)

Your network's public IPv4 address range

TCP

3389

Allow inbound RDP access to Windows instances from IPv4 IP addresses in your network (over the Internet gateway)

Outbound

Destination Protocol Port Range Comments

The ID of the security group for your database servers

TCP

1433

Allow outbound Microsoft SQL Server access to instances in the specified security group

The ID of the security group for your MySQL database servers

TCP

3306

Allow outbound MySQL access to instances in the specified security group

A database server would need a different set of rules; for example, instead of inbound HTTP and HTTPS traffic, you can add a rule that allows inbound MySQL or Microsoft SQL Server access. For an example of security group rules for web servers and database servers, see Security.

For more information about creating security group rules to ensure that Path MTU Discovery can function correctly, see Path MTU Discovery in the Amazon EC2 User Guide for Linux Instances.

Stale Security Group Rules

If your VPC has a VPC peering connection with another VPC, a security group rule can reference another security group in the peer VPC. This allows instances associated with the referenced security group to communicate with instances associated with the referencing security group.

If the owner of the peer VPC deletes the referenced security group, or if you or the owner of the peer VPC deletes the VPC peering connection, the security group rule is marked as stale. You can delete stale security group rules as you would any other security group rule.

For more information, see Working With Stale Security Groups in the Amazon VPC Peering Guide.

Differences Between Security Groups for EC2-Classic and EC2-VPC

If you're already an Amazon EC2 user, you're probably familiar with security groups. However, you can't use the security groups that you've created for use with EC2-Classic with instances in your VPC. You must create security groups specifically for use with instances in your VPC. The rules you create for use with a security group for a VPC can't reference a security group for EC2-Classic, and vice versa.

The following table summarizes the differences between security groups for use with EC2-Classic and those for use with EC2-VPC.

EC2-ClassicEC2-VPC

You can create up to 500 security groups per region.

You can create up to 500 security groups per VPC.

You can add up to 100 rules to a security group.

You can add up to 50 rules to a security group.

You can add rules for inbound traffic only.

You can add rules for inbound and outbound traffic.

You can assign up to 500 security groups to an instance.

You can assign up to 5 security groups to a network interface.

You can reference security groups from other AWS accounts.

You can reference security groups from your VPC or from a peer VPC in a VPC peering connection only. The peer VPC can be in a different account.

After you launch an instance, you can't change the security groups assigned to it.

You can change the security groups assigned to an instance after it's launched.

When you add a rule to a security group, you don't have to specify a protocol, and only TCP, UDP, or ICMP are available.

When you add a rule to a security group, you must specify a protocol, and it can be any protocol with a standard protocol number, or all protocols (see Protocol Numbers).

When you add a rule to a security group, you must specify port numbers (for TCP or UDP).

When you add a rule to a security group, you can specify port numbers only if the rule is for TCP or UDP, and you can specify all port numbers.

Security groups that are referenced in another security group's rules cannot be deleted.Security groups that are referenced in another security group's rules can be deleted if the security groups are in different VPCs. If the referenced security group is deleted, the rule is marked as stale. You can use the describe-stale-security-groups AWS CLI command to identify stale rules.
You cannot specify an IPv6 CIDR block or an IPv6 address as the source or destination in a security group rule.You can specify an IPv6 CIDR block or an IPv6 address as the source or destination in a security group rule.

Working with Security Groups

This section shows you how to work with security groups using the Amazon VPC console.

Modifying the Default Security Group

Your VPC includes a default security group whose initial rules are to deny all inbound traffic, allow all outbound traffic, and allow all traffic between instances in the group. You can't delete this group; however, you can change the group's rules. The procedure is the same as modifying any other security group. For more information, see Adding and Removing Rules.

Creating a Security Group

Although you can use the default security group for your instances, you might want to create your own groups to reflect the different roles that instances play in your system.

To create a security group

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Security Groups.

  3. Choose Create Security Group.

  4. Enter a name of the security group (for example, my-security-group) and provide a description. Select the ID of your VPC from the VPC menu and choose Yes, Create.

By default, new security groups start with only an outbound rule that allows all traffic to leave the instances. You must add rules to enable any inbound traffic or to restrict the outbound traffic.

Adding and Removing Rules

When you add or remove a rule, any instances already assigned to the security group are subject to the change. If you're using the Amazon EC2 API or a command line tool, you can't modify rules; you can only add and delete rules. If you're using the Amazon VPC console, you can modify the entries for existing rules (the console removes the rule and adds a new rule for you).

Note

If you have a VPC peering connection, you can reference security groups from the peer VPC as the source or destination in your security group rules. For more information, see Updating Your Security Groups to Reference Peered VPC Security Groups in the Amazon VPC Peering Guide.

To add a rule

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Security Groups.

  3. Select the security group to update. The details pane displays the details for the security group, plus tabs for working with its inbound rules and outbound rules.

  4. On the Inbound Rules tab, choose Edit. Select an option for a rule for inbound traffic for Type, and then fill in the required information. For example, for a public web server, choose HTTP or HTTPS and specify a value for Source as 0.0.0.0/0. Choose Save.

    Note

    If you use 0.0.0.0/0, you enable all IPv4 addresses to access your instance using HTTP or HTTPS. To restrict access, enter a specific IP address or range of addresses.

  5. You can also allow communication between all instances associated with this security group. On the Inbound Rules tab, choose All Traffic from the Type list. Start typing the ID of the security group for Source; this provides you with a list of security groups. Select the security group from the list and choose Save.

  6. If you need to, you can use the Outbound Rules tab to add rules for outbound traffic.

To delete a rule

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Security Groups.

  3. Select the security group to update. The details pane displays the details for the security group, plus tabs for working with its inbound rules and outbound rules.

  4. Choose Edit, select the role to delete, and then choose Remove, Save.

Changing an Instance's Security Groups

You can change the security groups that an instance in a VPC is assigned to after the instance is launched. When you make this change, the instance can be either running or stopped.

Note

This procedure changes the security groups that are associated with the primary network interface (eth0) of the instance. To change the security groups for other network interfaces, see Changing the Security Group of a Network Interface.

To change an instance's security groups

  1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

  2. In the navigation pane, choose Instances.

  3. Open the context (right-click) menu for the instance and choose Networking, Change Security Groups.

  4. In the Change Security Groups dialog box, select one or more security groups from the list and choose Assign Security Groups.

Deleting a Security Group

You can delete a security group only if there are no instances assigned to it (either running or stopped). You can assign the instances to another security group before you delete the security group (see Changing an Instance's Security Groups). You can't delete a default security group.

To delete a security group

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Security Groups.

  3. Select the security group and choose Security Group Actions, Delete Security Group.

  4. In the Delete Security Group dialog box, choose Yes, Delete.

Deleting the 2009-07-15-default Security Group

Any VPC created using an API version older than 2011-01-01 has the 2009-07-15-default security group. This security group exists in addition to the regular default security group that comes with every VPC. You can't attach an Internet gateway to a VPC that has the 2009-07-15-default security group. Therefore, you must delete this security group before you can attach an Internet gateway to the VPC.

Note

If you assigned this security group to any instances, you must assign these instances a different security group before you can delete the security group.

To delete the 2009-07-15-default security group

  1. Ensure that this security group is not assigned to any instances.

    1. Open the Amazon EC2 console at https://console.aws.amazon.com/ec2/.

    2. In the navigation pane, choose Network Interfaces.

    3. Select the network interface for the instance from the list, and choose Change Security Groups, Actions.

    4. In the Change Security Groups dialog box, select a new security group from the list, and choose Save.

      Tip

      When changing an instance's security group, you can select multiple groups from the list. The security groups that you select replace the current security groups for the instance.

    5. Repeat the preceding steps for each instance.

  2. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  3. In the navigation pane, choose Security Groups.

  4. Choose the 2009-07-15-default security group, then choose Security Group Actions, Delete.

  5. In the Delete Security Group dialog box, choose Yes, Delete.

API and CLI Overview

You can perform the tasks described on this page using the command line or an API. For more information about the command line interfaces and a list of available APIs, see Accessing Amazon VPC.

Create a security group

Add a rule to a security group

Describe one or more security groups

Modify the security groups for an instance

Remove a rule from a security group

Delete a security group