WKLD.11 – Restrict network access by using security groups - AWS Prescriptive Guidance

WKLD.11 – Restrict network access by using security groups

Use security groups to control traffic to EC2 instances, RDS databases, and other supported resources. Security groups act as a virtual firewall that can be applied to any group of related resources in order to consistently define rules for allowing inbound and outbound traffic. In addition to rules based on IP addresses and ports, security groups support rules to allow traffic from resources associated to other security groups. For example, a database security group can have rules to allow only traffic from an application server security group.

By default, security groups allow all outbound traffic but don’t allow inbound traffic. The outbound traffic rule can be removed, or you can configure additional rules added to restrict outbound traffic and allow inbound traffic. If the security group has no outbound rules, no outbound traffic originating from your instance is allowed. For more information, see Control traffic to resources using security groups (Amazon VPC documentation).

In the following example, there are three security groups that control traffic from an Application Load Balancer to EC2 instances that connect to an Amazon RDS for MySQL database.

Security group Inbound rules Outbound rules

Application Load Balancer security group

Description: Allow HTTPS traffic from anywhere

Type: HTTPS

Source: Anywhere-IPv4 (0.0.0.0/0)

Description: Allow all traffic to anywhere

Type: All traffic

Destination: Anywhere-IPv4 (0.0.0.0/0)

EC2 instance security group

Description: Allow HTTP traffic from the Application Load Balancer

Type: HTTP

Source: Application Load Balancer security group

Description: Allow all traffic to anywhere

Type: All traffic

Destination: Anywhere-IPv4 (0.0.0.0/0)

RDS database security group

Description: Allow MySQL traffic from EC2 instance

Type: MySQL

Source: EC2 instance security group

No outbound rules