Outbound rules in a security group

Question

Scenario 1: I created an Inbound HTTP rule for all traffic. I then created an outbound rule for HTTP only for a specific IP (not mine). I was still able to see the http content. So does this mean that outbound rule will have no impact if inbound rule is set to all traffic?

Scenario 2: I then went ahead and deleted the inbound http rules and just created an outbound http rule with my IP. And it didnt allow me the http content.

Scenario 2 makes sense but based on scenario 1, I just cannot comprehend the usage of outbound rules. Can you please share some scenarios where outbound rules can be used?

Answer 1

Think about your home network. You don't want people on the Internet being able to access your computer, print and smart devices in your home. Fortunately, your router acts as a firewall that prevents incoming access.

However, you also want to be able to access the Internet. Fortunately, your router can observe requests you make to access sites like StackOverflow, and it permits the response to come back in. The difference here is that you initiated the Outbound connection, so it permits the return response to come back in. This is called a stateful connection because it remembers the request and allows the return traffic.

A Security Group in an Amazon VPC is exactly the same, but in reverse. If an Inbound rule permits requests to come in, then the Security Group will allow the response to go back out. This does not involve use of the Outbound rules.

Typically, the Outbound rule is left to "Allow All" because you trust software running on your own EC2 instance. This permits software and the operating system to access the Internet (eg to download software updates) and also permits the return traffic to come back. It does not involve the Inbound rules in this process.