Configuring security groups
Security groups are like firewalls for your EC2 instances. If you don't specify the security group while creating instance in EC2-VPC, then AWS automatically assigns the default security group of the EC2-VPC to the instance. We can configure the inbound and outbound rules for security groups. We can also change these inbound and outbound rules while the instance is running. These changes are automatically applied.
For every VPC, we get a default security group, which we can't delete. You can't use a security group that you created for EC2-VPC when you launch an instance in EC2-Classic. You also can't use security group that you created for EC2-Classic, when you launch an instance in EC2-VPC. After you launch an instance in EC2-Classic, you can't change its security group but you can add and delete rules, which are then applied, automatically. But after you launch an instance in EC2-VPC, you can change its security groups, and add and remove rules, which are then applied, automatically.
When you specify a security group as the source or destination for a rule, the rule affects all instances associated with the security group The security groups created for EC2-Classic can only have inbound rules, but security groups created for EC2-VPC can have both inbound and outbound rules.
The limit to create security groups for each region is 500. You can create up to 100 security groups per VPC. You can also assign an unlimited number of security groups to the instance launched in EC2-Classic, whereas only 5 security groups can be assigned to an instance launched in VPC. The number of rules that can be added to each security group on EC2-Classic is 100 and for VPC it is 50.
How to do it…
In this recipe, we first list the commands for creating a security group for EC2-Classic and EC2-VPC. Then, we see how to create inbound and outbound rules. Finally, we list the command for adding the security group to an instance.
Creating a security group for EC2-Classic
By running the following command, you can create the security group in EC2-Classic. You have to provide the security group name and security group description for the security group.
$ aws ec2 create-security-group --group-name [SecurityGroupName] --description [Description]
The parameters used in this command are described as follows:
[SecurityGroupName]
: This provides the security group name[Description]
: This gives the description of the security group
Next, run the following command to create a security group with the WebServerSecurityGroup
name in EC2-Classic:
$ aws ec2 create-security-group --group-name WebServerSecurityGroup --description "Web Server Security Group"
Creating a security group for EC2-VPC
By running the following command, you can create a security group in EC2-VPC. You have to provide the security group name, security group description, and VPC ID for the security group:
$ aws ec2 create-security-group --group-name [SecurityGroupName] --description [Description] --vpc-id [VPCId]
The parameters used in this command are described as follows:
[SecurityGroupName]
: This parameter provides the security group name[Description]
: This one gives the description of the security group[VPCId]
: This option provides a VPC ID
The following command will create a security group named WebServerSecurityGroup
in VPC (vpc-1f33c27a). You can get your VPC IDs by running the aws ec2 describe-vpcs
command.
$ aws ec2 create-security-group --group-name WebServerSecurityGroup --description "Web Server Security Group" --vpc-id vpc-1f33c27a
Adding an inbound rule
Run the following command to add an inbound rule to your security group. You will need to provide the security group ID, protocol (TCP/UDP/ICMP), port, and the CIDR IP range.
$ aws ec2 authorize-security-group-ingress --group-id [SecurityGroupId] --protocol [Protocol] --port [Port] --cidr [CIDR]
The parameters used in this command are described as follows:
[SecurityGroupId]
: This is used to provide the security group ID[Protocol]
: This one provides the IP protocol of this permission[Port]
: This is used to specify the range of ports to allow[CIDR]
: This one gives the CIDR IP range
Next, run the following command to create the inbound rule that allows SSH traffic from IP address 123.252.223.114 in the security group (sg-c6b873a3
):
$ aws ec2 authorize-security-group-ingress --group-id sg-c6b873a3 --protocol tcp --port 22 --cidr 123.252.223.114/32
Adding an outbound rule
Run the following command to add an outbound rule to your security group. You will need to specify the security group ID, protocol (TCP/UDP/ICMP), port, and the CIDR IP range.
$ aws ec2 authorize-security-group-egress --group-id [SecurityGroupId] --protocol [Protocol] --port [Port] --cidr [CIDR]
The parameters used in this command are described as follows:
[SecurityGroupId]
: This parameter provides the security group ID[Protocol]
: This option specifies the IP protocol of this permission[Port]
: This is used to give the range of ports to allow[CIDR]
: This one gives the CIDR IP range
Then, run the following command to create the outbound rule that allows MySQL traffic from your instance to IP address 123.252.223.114 in the security group (sg-c6b873a3
):
$ aws ec2 authorize-security-group-egress --group-id sg-c6b873a3 --protocol tcp --port 3866 --cidr 123.252.223.114/24
Adding the security group to an instance
By running the following command, you can attach the security group to your EC2 instance. You have to provide the EC2 instance ID, and one or more security group IDs:
$ aws ec2 modify-instance-attribute --instance-id [InstanceId] --groups [SecurityGroupIds]
The parameters used in this command are described here:
[InstanceId]
: This option gives an EC2 instance ID[SecurityGroupIds]
: This option provides the IDs of one or more security groups
Then, run the following command to add the security groups sg-c6b873a3
and sg-ccb873a9
to EC2 instance i-2e7dace3
:
$ aws ec2 modify-instance-attribute --instance-id i-2e7dace3 --groups sg-c6b873a3 sg-ccb873a9