Skip to content

Security Group

Difference from an ACL as its also an virtual Firewall

A security group is a virtual firewall that controls inbound and outbound traffic for an Amazon EC2 instance.

  • By default, a security group denies all inbound traffic and allows all outbound traffic. You can add custom rules to configure which traffic should be allowed; any other traffic would then be denied
  • There are slight differences between a normal 'new' Security Group and a 'default' security group in the default VPC. For a 'new' security group nothing is allowed in by default.
  • Security groups evaluate all the rules on the group before deciding how to handle the traffic.
  • Security groups only provide for allow rules.
  • Security groups operate at the instance level.

Stateful packet filtering

Security groups perform stateful packet filtering. They remember previous decisions made for incoming packets.

Consider the same example of sending a request out from an Amazon EC2 instance to the internet.

When a packet response for that request returns to the instance, the security group remembers your previous request. The security group allows the response to proceed, regardless of inbound security group rules.

Was this page helpful?