Amazon AWS Securty Groups / Virtual Firewall General Guidelines
- If using VPC (not EC2-Classic), Security Groups are owned by VPC (Virtual Private Cloud)
- Security Groups are applied to EC2 instances (zero to many)
- Security Groups cannot span regions
- Instances belonging to the default security group can talk to each other.
- Instances belonging to a custom security group can’t talk to each other unless rules are added allowing it.
- No inbound traffic is allowed until you add inbound rules to the security group – this is the default.
- New security groups allow all outbound traffic – this is the default.
- Security Groups specify allow rules, not deny rules. (ACLs allow both allow and deny)
- Separate rules are specified for inbound and outbound traffic.
- You can remove the rule and add outbound rules that allow specific outbound traffic only.
- Security groups are stateful. This means that responses that allow inbound traffic also allow outbound flow regardless of outbound rules and vice versa.
- Again, the fact that security groups are stateful is an important difference between security groups and network ACLs.
- Changes are allowed to security groups and impact even running instances that use this security group IMMEDIATELY.
- 500 Security Groups / Virtual Firewall are allow per AWS VPC.
- Up to 50 inbound and 50 outbound rules to each security group.
- Maximum of five security groups with each network interface.
For additional LonzoDB recent AWS related posts.