VPC security can be handles with Two things
- Security Groups :
- Network Access Control Lists :
- NACL : lives in subnet level
- Security Group : Associated at instance level. Security Group get assigned to Network Interfaces and not Instances themselves. Every instance (network interface) needs at least one , and upto 5.Eth0 network interface : we can’t remove it from an instance.
Consists of protocol , port and source.
Check all rules , if none pass … traffic is denied
We say security groups are “stateful” : any responses to traffic that are send out , are automatically allowed back in. They kind of remember , i allowed this traffic in/out , hence accepting now out/in.
Default Security Group
- When launching an EC2 if you dont specify SG , it takes default SG
- The default security group allows communication between all resources within the security group,
- it allows all outbound traffic,
- and denies all other traffic.