Security groups section

Security groups act as a virtual firewall, which controls inbound and outbound traffic on a network interface of an instance, attached to a subnet. You can assign up to five security groups to one instance when you launch an instance in VPC. Your VPC automatically comes with a default security group. Each instance that you launch in your VPC is automatically associated with the default security group if you don’t specify a different security group when you launch the instance.

Ingress rules of the default security group
Source Protocol Ports Comments
The security group (sg-ХХХХХХХХ) All All Allow inbound traffic from instances assigned to the default security group
Egress rules of the default security group
Source Protocol Ports Comments
0.0.0.0/0 All All Allow all outbound IPv4 traffic

In each security group you can create rules, which control inbound and outbound traffic.

Stateful

Security Groups perform stateful traffic filtering: for each new allowed network connection a temporary return rule is created. This rule dynamically allows return traffic for this connection.

Lifetime of an inactive TCP connection is 300 seconds, UDP - 10 seconds. During this period of time return traffic for established connections is allowed.

Note

For example, imagine that you have a running web-server on TCP port 80 in your instance in the Cloud. This instance belongs to a Security Group web-sg, which contains an allowing ingress rule tcp/80, 0.0.0.0/0. The list of egress rules is empty. In the moment of TCP-session initialisation between client and web-server, following temporary return rule will be created: proto: tcp, source port: 80, destination port: XXXX, destination IP: client IP, where XXXX - ephemeral port, which was dynamically allocated by client’s operating system. This temporary rule will exist while network activity in this connection remains. After 300 seconds of inactivity this rule will be automatically removed.

Creating a security group

Click button_1 to create a security group.

In the dialog window enter the name of security group and confirm the action.

Click a link with security group unique ID to see the list of instances, associated on instance launch with this security group.

Deleting a security group

Click button_2 to delete a security group. The security group will be deleted after your confirmation.

Attention

You can’t delete:

  • a default security group;
  • a security group, which is assigned to an instance;
  • a security group, which is referenced as a source or a destination in another security group’s rules.

Adding rules

You can control traffic on a network interface of an instance, attached to a subnet by adding ingress and egress rules. To add an ingress or an egress rule, go to the corresponding tab, click button_3 and set necessary access parameters.

The adding an ingress rule dialog window is similar to the adding an egress rule one.

Attention

Allow rule don’t affect cross-AZ traffic. To allow such traffic, please use IP-based rules.

Attention

In one security group you can’t create more than 50 rules of one direction.

Deleting rules

Click button_4 in the corresponding tab to delete ingress or egress rules. Rules will be deleted after your confirmation. You can delete multiple rules at a time.