Tuesday 7 February 2023

AWS Security Groups

AWS Security Groups control the inbound and outbound traffic for various AWS resources: 
  • EC2 instance
    • running applications e.g. web server
    • running as DNS server
  • RDS - Database server
  • EFS file system
  • Elastic Load Balancer
  • VPC peering rules


Security groups are VPC-specific (and therefore region-specific). They can only be used within the VPC they are created. The exception is where there is a peering connection to another VPC, in which case they can be referred to in the peered VPC. 

For Security Group we can set:

  • Name
  • Description
  • VPC. VPC is region-specific so is security group.
  • Inbound rules
  • Outbound rules

For Security Group Rule (Inbound or Outbound) we can set:
  • Type. The protocol to open to network traffic. You can choose a common protocol, such as SSH (for a Linux instance), RDP (for a Windows instance), and HTTP and HTTPS to allow Internet traffic to reach your instance. You can also manually enter a custom port or port ranges.
  • Protocol. The type of protocol, for example TCP or UDP. Provides an additional selection for ICMP.
  • Port range. For custom rules and protocols, you can manually enter a port number or a port range.
  • Source. Determines the traffic that can reach your instance. Specify a single IP address, or an IP address range in CIDR notation (for example, If connecting from behind a firewall, you'll need the IP address range used by the client computers. You can specify the name or ID of another security group in the same region. To specify a security group in another AWS account (EC2-Classic only), prefix it with the account ID and a forward slash, for example: 111122223333/OtherSecurityGroup.
  • Description. A description for a security group rule.
    A description can be up to 255 characters in length.
    Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*.

Example: we have a Node.js application that is receiving traffic on port 8080, only from a Load Balancer that is on the same VPC. This means we need to create an Inbound rule:

  • Type: Custom TCP
  • Protocol: TCP
  • Port range: 8080
  • Source: Custom; CIDR block: (in our example we're using a default VPC so we'll put here its private IP address block thus allowing only access from the private network)


Terraform Security Group resource

aws_security_group | Resources | hashicorp/aws | Terraform Registry


Terraform Security Group Rule resource

It represents a single ingress or egress group rule, which can be added to external Security Groups: 

aws_security_group_rule | Resources | hashicorp/aws | Terraform Registry

Required arguments: 

  • from_port: start port
  • to_port: end port
  • protocol
    • icmp
    • icmpv6
    • tcp
    • udp
    • all
  • security_group_id: Security group to apply this rule to.
  • type
    • ingress (inbound)
    • egress (outbound) 
Optional arguments:
  • self. Whether the security group itself will be added as a source to this ingress rule.
  • source_security_group_id.  Security group id to allow access to/from, depending on the type.
  • ...

Because security group rule gets attached to the security group, we need to instruct Terraform to provision security group rule after the security group. We do this by using depends_on meta argument:

resource "aws_security_group_rule" "my_ec2_ssh" {
  type            = "ingress"
  from_port       = 22
  to_port         = 22
  protocol        = "tcp"
  cidr_blocks = var.ssh_ip_range
  security_group_id = aws_security_group.my_ec2_sg.id
  depends_on = [aws_security_group.my_ec2_sg]


Security group rules for different use cases - Amazon Elastic Compute Cloud

No comments: