Which AWS service or feature can be used to control inbound and outbound traffic on an Amazon EC2 instance?
You can create a security group and add rules that reflect the role of the instance that's associated with the security group. For example, an instance that's configured as a web server needs security group rules that allow inbound HTTP and HTTPS access. Likewise, a database instance needs rules that allow access for the type of database, such as access over port 3306 for MySQL. Show The following are examples of the kinds of rules that you can add to security groups for specific kinds of access. Web server rulesThe following inbound rules allow HTTP and HTTPS access from any IP address. If your VPC is enabled for IPv6, you can add rules to control inbound HTTP and HTTPS traffic from IPv6 addresses.
Database server rulesThe following inbound rules are examples of rules you might add for database access, depending on what type of database you're running on your instance. For more information about Amazon RDS instances, see the Amazon RDS User Guide. For the source IP, specify one of the following:
You can optionally restrict outbound traffic from your database servers. For example, you might want to allow access to the internet for software updates, but restrict all other kinds of traffic. You must first remove the default outbound rule that allows all outbound traffic.
Rules to connect to instances from your computerTo connect to your instance, your security group must have inbound rules that allow SSH access (for Linux instances) or RDP access (for Windows instances).
Rules to connect to instances from an instance with the same security groupTo allow instances that are associated with the same security group to communicate with each other, you must explicitly add rules for this. If you configure routes to forward the traffic between two instances in different subnets through a middlebox appliance, you must ensure that the security groups for both instances allow traffic to flow between the instances. The security group for each instance must reference the private IP address of the other instance, or the CIDR range of the subnet that contains the other instance, as the source. If you reference the security group of the other instance as the source, this does not allow traffic to flow between the instances. The following table describes the inbound rule for a security group that enables associated instances to communicate with each other. The rule allows all types of traffic.
Rules for ping/ICMPThe ping command is a type of ICMP traffic. To ping your instance, you must add the following inbound ICMP rule.
To use the ping6 command to ping the IPv6 address for your instance, you must add the following inbound ICMPv6 rule.
DNS server rulesIf you've set up your EC2 instance as a DNS server, you must ensure that TCP and UDP traffic can reach your DNS server over port 53. For the source IP, specify one of the following:
Amazon EFS rulesIf you're using an Amazon EFS file system with your Amazon EC2 instances, the security group that you associate with your Amazon EFS mount targets must allow traffic over the NFS protocol.
To mount an Amazon EFS file system on your Amazon EC2 instance, you must connect to your instance. Therefore, the security group associated with your instance must have rules that allow inbound SSH from your local computer or local network.
Elastic Load Balancing rulesIf you're using a load balancer, the security group associated with your load balancer must have rules that allow communication with your instances or targets.
The security group rules for your instances must allow the load balancer to communicate with your instances on both the listener port and the health check port.
For more information, see Configure security groups for your Classic Load Balancer in the User Guide for Classic Load Balancers, and Security groups for your Application Load Balancer in the User Guide for Application Load Balancers. VPC peering rulesYou can update the inbound or outbound rules for your VPC security groups to reference security groups in the peered VPC. Doing so allows traffic to flow to and from instances that are associated with the referenced security group in the peered VPC. For more information about how to configure security groups for VPC peering, see Updating your security groups to reference peer VPC groups. |