Security Groups act as virtual firewalls for EC2 instances, controlling inbound and outbound traffic.
- Contain only allow rules (no explicit denies).
- Rules can reference IP ranges (IPv4/IPv6) or other security groups.
Inbound: Controls traffic from outside to the instance.
Outbound: Controls traffic from the instance to outside.
Key Facts
- Can be attached to multiple instances.
- Scoped to a region/VPC.
- Reside outside the EC2 instance (blocked traffic never reaches it).
- Best practice: separate Security Group for SSH.
- Default:
- Inbound: all blocked.
- Outbound: all allowed.
- Timeout errors → Security Group issue.
- “Connection refused” → application issue or service not running.
Common Ports to Know
- 22 – SSH (Linux)
- 21 – FTP
- 22 – SFTP (over SSH)
- 80 – HTTP
- 443 – HTTPS
- 3389 – RDP (Windows)