- Security groups
- Amazon Elastic Block Store (Amazon EBS) volumes and snapshots
- Attaching an EBS volume to a Linux instance
- Amazon Machine Images
- T2 instances
- Configuring an application load balancer
- EC2 networking
- EC2 instance lifecycle
Skill Level Intermediate
- [Instructor] Welcome back, in this video, we're gonna talk about security groups. If you're ready, let's begin. All right, so what is a security group? A security group acts as a virtual firewall that controls the traffic for one or more EC2 instances. When you launch an instance you associate one or more security groups with that instance. So it is not that we can only associate one security group per instance, we could associate multiple security groups per EC2 instance.
We add rules to each security group that allow traffic to, or from, its associated instances. We can modify the rules of a security group at any time, and the new rules are automatically applied to all instances that are associated with the security group. In the next video, when we'll be doing a hands-on on security groups, we'll see this live in action. We will modify the security group and we'll notice that as soon as you modify, the changes are applied immediately.
Every security group can have different set of rules for inbound, and outbound traffic. By default security groups allow all outbound traffic. When we create a security group, it has no inbound rules, therefore, no inbound traffic originating from another host to your EC2 instance is allowed, until you add inbound rules to the security group.
So, by default, everything is allowed outbound, nothing is allowed inbound. We can specify separate rules for inbound, and outbound traffic. Very important - security group rules are always permissive. We can't write rules that deny access. That means when we are defining a security group, we can only write rules that allow traffic towards the instance, or from the instance, but we cannot write a rule that blocks the traffic or denies the traffic.
Security groups are stateful in nature, which means if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. Let me explain this to you with an example. So on the screen right now I have an EC2 instance, and I have a security group, which is shown in red dotted lines. The EC2 instance is trying to reach a server on the internet which is shown on the left hand side.
When the EC2 instance sends the traffic, it first gets processed by the security group. Let's assume that this traffic is allowed by the security group, so this traffic reaches the server. Now when the server responds back, and when the response hits the security group, is it gonna be evaluated again? The answer is no. When the server responds back, the traffic will be automatically allowed to reach that EC2 instance.
It will not be processed against the security rules again. Since the response belongs to an existing session, it is allowed to flow in. And this is known as stateful inspection. Security groups are stateful in nature. They allows responses to flow in, regardless of the inbound rule configuration. Let's now talk about security group rules. Every security group must have a name, and a description, and these can be up to 255 characters in length.
A security group name cannot start with sg-. There are limits on the number of security groups that you can create per VPC, the number of rules that you can add to each security group, and the number of security groups that you can associate with a network interface. When we configure a security group, these are the items that we need to define. Number one, we must specify the protocol.
The most common protocols are TCP, UDP, and ICMP. Next, we need to specify the port range, which can be a single port, or a range of ports, for TCP or UDP, or the custom protocol. Next, we specify the source or destination. The source is for inbound rules, and destination is for outbound rules. If you must specify individual IPV for addresses, they must be configured with the /32 prefix length.
For example, 220.127.116.11/32. If you need to specify individual IPv6 addresses, they must use /128 prefix length. And you have an example on the screen as well. As you can see it has a prefix length of /128. Interestingly, the source or destination of a security group can also be another security group. This allows EC2 instances associated with the specified security group to access instances associated with this security group.
If that sounds too confusing, I have an example coming up for you. Additionally, you may also configure ICMP type and code. This is applicable only if you select the protocol as ICMP. Now, I'm gonna show you an example of how a security group can be referenced within another security group. On the screen right now, I have an EC2 instance which represents a web server. And as you can see, the EC2 instance is associated with a security group which is shown with the red dotted line.
Also, I have a database server, which has its own security group. The web server is connected with the database server. People on the internet need to access the web server. However, we do not want to permit people on the internet to be directly accessing the database server. That means users can access the web server, and the web server has a connection with the database server. How do we make this happen? How do we make sure that people on the internet can connect to the web server, but then they cannot directly connect with the database server? The only connection that is permitted on the database server is that which originates from the web server.
The security group associated with the web server is called as web-server-sg. When I'm defining the security group for my database server, this is how I'm gonna configure it. As you can see over here, I've given it a name, which is called as database sg. I've given it a description. Notice the inbound traffic. I've selected MYSQL on TCP 3306, which is the traffic for database servers. The source is a custom IP address, but then, look at the source that I've specified.
In the source field I have given the name of the security group that is associated with the web server which is web-server-sg. And you can see that over here. This means this security group, which is associated with the database server, is only going to allow inbound traffic on TCP 3306 that originates from any instance associated with web-server-sg. This is interesting because I do not have to specify the IP address of my web server.
Any instance that is associated with web-server-sg will automatically be able to access the database servers. At the same time, it will prevent any other connections. Isn't this really fantastic? We can actually reference security groups within security groups. And this applies to outbound traffic as well. Moving on, some more rules for security groups. If there is more than one rule for a specific port, the most permissive rule is applied.
For example, let's say you have a rule that allows access to TCP port 22, which is the SSH port number, from a specific IP address which is 203.0.113.1. And you also have another rule that allows access to TCP port 22 from everywhere. In this case, everyone would have access to TCP port 22. The bottom line is, the most permissive rule is applied.
When multiple security groups are associated with an instance, the rules from each security group are effectively aggregated to create one set of rules. And this set of rules is used to determine whether to allow access. We also have something called as the default security group. Every AWS account has a default security group per VPC. If you don't specify a security group when you launch an EC2 instance, the instance is automatically associated with the default security group.
The default security group is named as default, and it has and ID assigned by AWS. Please also note that we cannot delete the default security group. Well, that's it for this video. I hope you enjoyed this one. In the next video we're gonna do hands on, and we're gonna implement all of these concepts. I'm excited to see you there and I'd like to thank you for watching. Thank you.