Security Groups

Security Group – A security group is a virtual firewall that controls traffic at the instance level in cloud environments such as Amazon Web Services (AWS), Microsoft Azure, or Google Cloud. Security groups allow controlling both inbound and outbound traffic for resources in a virtual network, such as a VPC (Virtual Private Cloud). Let’s explore the main aspects of working with security groups in more detail.

  1. Purpose of Security Group

A Security Group is used to manage access to resources such as virtual machines (EC2 in AWS) or containers running in the cloud. It regulates the following types of traffic:

  • Inbound traffic: Controls incoming requests to an instance.
  • Outbound traffic: Controls the traffic that an instance sends to other networks or the internet.

Security groups protect resources by filtering traffic based on parameters such as IP address, port, and protocol.

  1. How It Works

Security groups are stateful, meaning:

  • When you allow an inbound connection, the response outbound connection is automatically allowed.
  • Similarly, if an outbound connection is allowed, the response inbound connection will also be automatically allowed.

For example, if a request is sent from your resource, the response to that request will always be allowed, regardless of the inbound security group rules.

  1. Key Components of a Security Group

A security group consists of rules that define which traffic is allowed to or from the resource.

3.1. Inbound Rules
Inbound rules define which traffic can reach the resource:

  • Traffic source: You can specify an IP address or address range (e.g., 192.168.1.0/24) or another security group.
  • Protocol: A specific protocol (e.g., TCP, UDP, ICMP) or allow all protocols.
  • Port: A specific port or range of ports (e.g., 22 for SSH). Example: A rule that allows SSH access (TCP port 22) from the IP address 203.0.113.0.

3.2. Outbound Rules
Define which traffic the resource can send:

  • Traffic destination: Specify the IP address or address range where traffic will be sent.
  • Protocol and port: Choose the protocol and port. Example: A rule that allows all outbound traffic to port 80 (HTTP) for all IP addresses.
  1. Limitations

There are certain quotas for security group usage:

  • Security groups per interface: The maximum number of security groups that can be attached to a single network interface (e.g., in AWS, up to 5 groups per interface).
  • Number of rules: The maximum number of rules per security group (e.g., in AWS, up to 60 rules per group).
  • Security groups per VPC: There is a limit to the number of security groups that can be created in a VPC (e.g., in AWS, up to 2500 groups per VPC).
  1. Characteristics of Security Group
  • Stateful: As mentioned earlier, a security group tracks connections, which allows automatic allowance of return packets.
  • Resource association: A security group can be assigned to one or more resources within the same VPC.
  • Dynamic updates: Changes to security group rules are applied instantly without requiring a reboot or restart of resources.
  1. Benefits of Security Group
  • Simplified management: Instead of configuring firewall rules for each instance, you can create security groups for different resources with the same requirements.
  • Centralized management: Changes to security group rules are immediately applied to all resources associated with that group.
  • Flexibility and security: Security groups allow control over traffic at the application or network level, maintaining high isolation and protection for resources.

Security Group is a powerful tool for managing security in a cloud environment, helping to control access to resources and ensuring high flexibility and reliability.

To create a Security Group:

Go to Network > Security Groups. Click Create on the top toolbar.

In the "Create Security Group" dialog box, enter the following information:

  • Name: The name of the security group.
  • Description (optional): A description of the security group.
  • VPC: Select the VPC with which the security group should be associated.

Next to Rules, click Add. For each rule, enter the following:

  • IP Protocol Version: Choose IPV4 or IPV6.
  • Direction: Select EGRESS for defining rules for outgoing traffic. Select INGRESS for defining rules for incoming traffic.
  • Protocol: Specify the protocol to which the rule will apply – 'TCP', 'UDP', or 'ICMP'. Allow traffic from any protocol by selecting 'Any'.
  • Start Port and End Port:
    • If Protocol = 'Any', leave the field blank.
    • If Protocol = 'TCP' or 'UDP', enter the port range for the rule.
    • If Protocol = 'ICMP', enter the ICMP message type in the first field and the ICMP code in the second field.
  • Source or Destination: Depending on the rule's direction, choose one of the following options to restrict or allow traffic from specified sources (INGRESS) or to specified destinations (EGRESS):
    • Any: No restrictions.
    • Group: Restrict to a specific group.
    • Subnet: Restrict to a specific CIDR or IP address.

Click OK to create the security group. The new security group will appear in the Networking > Security Groups view.

To add another rule, click Add again.

 

Security Group Operations

After creating the security group, it will appear in the list in the Networking > Security Groups view. The following operations can be performed by selecting the security group from the list and clicking on the corresponding icon.

From the top toolbar:

  • Edit — Add or remove rules in the selected security group.
  • Detach — Detach the security group from all associated network interfaces.
  • Delete — Delete the selected security group.

From the bottom toolbar:

  • Rules — View rules associated with the selected security group.
  • Virtual Machines — View virtual machine instances associated with the selected security group.
  • Events — View configuration events (information) or alert signals for the routing table.

 

 

Get a consultation from a manager!

Do you need to clarify the details? Discuss the requirements? Do you have a difficult project? We will help you find the right solution.