Looking for a good explanation of how AWS Security groups behave

Philip Couling asked:

I’m struggling to get my head round port ranges described by AWS Security Groups and how they behave. I’m a software developer with many years of experience writing networking software so it’s possible I’m just overcomplicating things.

What I’m really looking for is a way to tie up my networking knowledge with the naming and behaviour of AWS.

What confuses me the most is that on TCP or UDP packet there are two port numbers (the sender’s and the recipient’s). And this applies wether the packet is being send from server to client or client to server. So firewall rules can theoretically refer to 4 different ports:

  1. Inbound packet recipient port
  2. Inbound packet sender port
  3. Outbound packet recipient port
  4. Outbound packet sender port

I realise that any (TCP) connection will in practice have only two ports because inbound and outbound packets are mirrors of each other.

Now with all that in mind, the AWS console has just one port for inbound rules and one port for outbound rules. And when I look for examples they often include reference to allowing every port outbound on the same group as a single port inbound (see terraform example).

What precisely does this do?

I’m worried because… I seem to need this egress rule. This seems to allow any client to connect to port 443, from any port. (That’s fine). But can the egress rule from one security group be combined with the ingress rule from another?

Eg: if I add a network group to let my machine act as a HTTP(S) server, like the example, and then I add another rule to let it act as a HTTP(S) client, then I will have one rule allowing any port from anyware and one rule allowing any port to anywhere. Does that completely open up the firewall or must each packet match a security group completely?

My answer:

An AWS security group is just a firewall.

And the egress rule that allows everything simply allows your instances to make outgoing connections to anywhere.

If you make a connection between two instances, egress rules apply to the instance making the outgoing connection, and ingress rules apply to the instance receiving the incoming connection. These may be in different security groups, or different regions, or even in different AWS accounts. The other instance might even be elsewhere on the Internet. In most cases you’ll have no visibility to the other end’s firewall rules, nor will they be relevant, because they won’t be systems you are responsible for.

As for why only one port is specified, almost always only one port is relevant: the destination port. The source port is almost always dynamically assigned and not useful for firewalling. Only in very rare circumstances would the source port even theoretically matter in a firewall rule, and I can’t think of any you’d run into while running an instance on AWS.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.