Security Groups CheatSheet

A virtual firewall that controls the traffic to and from EC2 instances

Security Groups act as a virtual firewall at the instance level

Security Groups are associated with EC2 instances

Each Security Group contains a set of rules that filter traffic coming into (inbound) and out of (outbound) EC2 instances

There are no ‘Deny’ rules. All traffic is blocked by default unless a rule specifically allows instance__.

Multiple Instances across subnets can belong to a Security Group

Security Groups - Use Case

You can specify the source to be an IP range or a specific ip (/32 is a specific IP address)

You can specify the source to be another security group

An instance can belong to multiple Security Groups, and rules are permisive (instead of restrictive). Meaning, if you have one security group which has no Allow and you add an allow to another that it will Allow.

Security Groups - Limits

You can have up to 10,000 Security Groups in a Region (default is 2500)

You can have 60 inbound rules and 60 outbound rules per security group

16 Security Groups per Elastic Network Interface (ENI) (default is 5)