Security Group (SG)

The Amazon EC2 service allows users to add and remove instances dynamically for the purpose of scalability. However, the above mentioned scalability need and auto addition of instances can cause issues for firewall configuration and maintenance, which traditionally rely on IP addresses, subnet ranges or DNS host names as the basis for the firewall rules.

The Amazon EC2 provides a firewall to assign to the EC2 instances. The AWS EC2 firewall is configured through the user-defined groups. A security group defines the firewall rules for the user’s instances. The above mentioned rules specify which ingress (i.e., incoming) network traffic should be delivered to the user’s instance. Subsequently, all other ingress traffic will be discarded. The ingress rule can be specified for an IP range. This provides for higher security as the user can allow traffic on certain ports (e.g. SSH, RDP, DB Port) from selected IPs only.

The user can modify the rules for a group at any time. The new rules are automatically enforced for all running instances and instances launched in the future. However, the user can never remove a security group from an instance once it is attached to an instance. Only after the instance is terminated and the security group is not attached to any other instances, the user can remove it.

The present guide demonstrates how to add or remove an ingress rule for a security group.

1. Create a security group, as explained here. Select the security group, where the user wants to define the incoming rule. Click on the “Inbound” tab.

[Newvem scans and identifies the status of your security group configurations, continuously monitors their status, and alerts you of vulnerabilities. Get Started for Free!]

2. The user is required to select the port, IP range and the IP range to define the incoming rule. First select the “Create a new Rule” dropdown.

3. The security group provides the rules for the standard ports, as listed below. Select the TCS / UDP / ICMP rule or the standard protocol.

4. If the user has selected the standard protocol from the list, the security group will not ask for the port. Provide the IP or IP range for which the user wants to allow the inbound traffic. Click on “Add Rule”.

5. The rule will be added as the “Inbound” rule. The changes will not be saved until the user clicks on the “Apply Rule Change” button.

6. Before saving the HTTP rule, add another rule for a port which is not part of the standard port list. Provide the port or port range, the IP or IP range. Click on “Add Rule”.

7. The rule will be added as the custom TCS rule. To save all the changes, click on the “Apply Rule Changes” button.

8. The rules will be saved and the “Apply rule changes” button will be disabled. To delete a rule from the “Inbound” traffic, click on the “Delete” link.

9. The rule will be marked as deleted but it will not be saved until the changes are applied. Click on “Apply Rule Changes”.

10. The rule will be deleted and all the changes will be applied.

11. To run the above mentioned steps through the command line interface, first setup AWS EC2 CLI to launch an instance with the command line option, as explained here.

12. Create a group, as explained here.

13. Run the command:

ec2-authorize --region <region name> <Group Name> –p <port number>

This will add the rule for all the IPs (0.0.0.0/0).

To add the rule for a specific IP range, run the command:

ec2-authorize --region <region name> <Group Name> –p <port number> -s <IP Range>

Verify that the IP range provided by the user is correct, or else AWS will throw an error message.

To revoke the inbound traffic from a particular port, run the command:

Ec2-revoke –region <Region Name> <Group Name> -p <port number>

14. The actual output is shown below:

Newvem analytics tracks you AWS cloud utilization:

Hourly Utilization Pattern Analysis
Reserved Instances Decision Tool
Resource Resizing Opportunities

Get Started for Free or Learn More

Keywords: Amazon Web Services, AWS cloud, EC2, AWS Instance, Security Groups, AWS Console, AWS CLI, Cloud Scalability, Cloud Firewall

The Amazon EC2 service allows you to add and remove instances dynamically for the purpose of scalability. However, the above mentioned scalability need and auto addition of the instances can cause issues for firewall configuration and maintenance, which traditionally rely on IP addresses, subnet ranges or DNS host names as the basis for the firewall rules.

The Amazon EC2 provides a firewall to assign to the EC2 instances. The AWS EC2 firewall is configured through the user-defined groups. When new instances are launched or additional instances are added or removed, the appropriate rules are enforced. Similarly, if the user changes a rule for a group, the changes are automatically applied to all the members of the group.

Category