Reputation: 137
Using shared security group between VPC and EC2
I am new to AWS, need gurus help !
Question 1:
I need to understand the purpose of having independent security groups created for your VPC and EC2 instance. I have read AWS recommends having independent groups created but I do not understand the conviction behind it.
Question 2:
Will having independent security group filter out my incoming traffic at the VPC layer and deny requests for which rules have not been defined.
Question 3:
Consider I have two security groups,
Security Group - EC2 - Inbound Rules to allow SSH and ICMP traffic
Security Group - VPC - No inbound rules configured.
Will I be able to connect to the EC2 instance even though my VPC has no security groups defined ?
Thank you in advance !
Upvotes: 0
Views: 3017
Answers (1)
Reputation: 792
AWS offers only two types of security groups:
- VPC-EC2 Security Groups
- EC2-Classic Security Groups
EC2-Classic Instances do not live within a VPC so they are not affected by VPC-EC2 Security groups.
The table that you make reference on page 39 of the security security whitepapers is showing the differences between old services (EC2-Classic and VPN Classic) that are not offered anymore and the current default one (EC2-VPC). In the current format, your security groups are applied, at instance level, to all attached instances. You can enhance security by using Route Tables and Network Access Control Lists at a VPC level.
if your account was created after 2014, there is no need to worry about classic services.
I hope this helps.
EDIT 1:
I want to clarify that security groups work on attached services. So having a security group work on multiple instances is possible. When you attach multiple instances to a security group, you are giving yourself a break from doing multiple security groups with the same rules on different instances. It is a time saver, a safe way to secure connectivity between other services, and an organizational advantage. For example, you can have a security group that allows all incoming http traffic but maybe you just want ssh traffic into a specific instance.
Below is a diagram that helped me understand this better. The VPC security group mentioned below is just another security group to which all instances are attached. It shows that all instances are attached to it. In this particular example, the security group allows for communication between all instances attached to that security group.
you can find the question where this graph came from here Check out my third source. It has a nice graph for security groups.
Sources:
Upvotes: 3
Related Questions
- AWS security groups and Virtual private cloud
- Security group through another security group
- Default Security Group in VPC
- Nested Amazon VPC security groups
- associate security group to vpc awscli
- How to give a VPC and all its instances access to a AWS Security Group
- AWS EC2 and VPC security groups
- How can I give multiple vpc access to a classic ec2 instance using security groups
- How do you configure security groups inside of security groups in AWS?
- AWS VPC SSH security group configuration