Security Groups
Most resources in AWS allow you to attach one or more security groups, which are virtual firewalls that you can use to control which ports that resources opens for inbound and outbound network traffic. By default, all ports are blocked, so to allow network communication, you can add inbound and outbound rules. Each rule in a security group specifies a port range, the IP addresses or other security groups that will be allowed to access that port range, and the protocol that will be allowed on those port range.
Here’s an example of inbound rules:
Port range | Source | Protocol | Comment |
80 | 10.0.0.0/16 | tcp | Allow HTTP requests from within the VPC |
443 | 10.0.0.0/16 | tcp | Allow HTTPS requests from within the VPC |
4000 - 5000 | sg-abcd1234 | tcp | Open a range of ports (e.g., for debugging) to another security group with ID |
And here’s an example of outbound rules:
Port range | Source | Protocol | Comment |
443 | 0.0.0.0/0 | tcp | Allow all outbound requests over HTTPS so you can talk to the public Internet |
Note that every VPC has a Default Security Group that will be used if you don’t specify any other security group for your resources. We recommend always attaching a custom security group with rules that exactly match your use case, rather than relying on this default, global one.