0
0
AWScloud~5 mins

Inbound and outbound rules in AWS - Commands & Configuration

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Introduction
When you run servers or applications in the cloud, you need to control who can talk to them and who they can talk to. Inbound and outbound rules let you decide what traffic is allowed in and out of your cloud resources to keep them safe.
When you want to allow users to access your web server on port 80 but block other ports.
When your application needs to connect to a database on a specific port.
When you want to block all incoming traffic except from trusted IP addresses.
When your server needs to send data out to the internet but should not accept any incoming connections.
When you want to open SSH access only from your office IP to manage your server securely.
Commands
This command creates a new security group named 'my-security-group' in the specified VPC. Security groups act like virtual firewalls controlling inbound and outbound traffic.
Terminal
aws ec2 create-security-group --group-name my-security-group --description "My security group for web server" --vpc-id vpc-0abcd1234efgh5678
Expected OutputExpected
{ "GroupId": "sg-0123456789abcdef0" }
--group-name - Sets the name of the security group.
--description - Describes the purpose of the security group.
--vpc-id - Specifies the VPC where the security group will be created.
This command adds an inbound rule to allow HTTP traffic on port 80 from any IP address to the security group.
Terminal
aws ec2 authorize-security-group-ingress --group-id sg-0123456789abcdef0 --protocol tcp --port 80 --cidr 0.0.0.0/0
Expected OutputExpected
No output (command runs silently)
--group-id - Specifies which security group to update.
--protocol - Defines the protocol to allow (tcp in this case).
--port - Sets the port number to allow traffic on.
--cidr - Defines the IP range allowed to connect.
This command adds an outbound rule to allow HTTPS traffic on port 443 to any IP address from the security group.
Terminal
aws ec2 authorize-security-group-egress --group-id sg-0123456789abcdef0 --protocol tcp --port 443 --cidr 0.0.0.0/0
Expected OutputExpected
No output (command runs silently)
--group-id - Specifies which security group to update.
--protocol - Defines the protocol to allow.
--port - Sets the port number for outbound traffic.
--cidr - Defines the IP range allowed for outbound connections.
This command shows the current inbound and outbound rules for the specified security group so you can verify your settings.
Terminal
aws ec2 describe-security-groups --group-ids sg-0123456789abcdef0
Expected OutputExpected
{ "SecurityGroups": [ { "GroupId": "sg-0123456789abcdef0", "GroupName": "my-security-group", "IpPermissions": [ { "IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "IpRanges": [ { "CidrIp": "0.0.0.0/0" } ] } ], "IpPermissionsEgress": [ { "IpProtocol": "tcp", "FromPort": 443, "ToPort": 443, "IpRanges": [ { "CidrIp": "0.0.0.0/0" } ] } ] } ] }
--group-ids - Specifies which security group to describe.
Key Concept

If you remember nothing else from this pattern, remember: inbound rules control who can connect to your resources, and outbound rules control where your resources can connect to.

Common Mistakes
Not specifying the correct security group ID when adding rules.
The rules will be added to the wrong security group or the command will fail.
Always double-check the security group ID before running authorize commands.
Allowing inbound traffic from 0.0.0.0/0 on sensitive ports like SSH (22) without restrictions.
This exposes your server to the entire internet and increases security risks.
Limit inbound access to trusted IP addresses or ranges for sensitive ports.
Forgetting to add outbound rules when your application needs to connect to external services.
Your server may not be able to send data out, causing failures.
Add outbound rules that allow necessary traffic to external IPs and ports.
Summary
Create a security group to act as a virtual firewall for your cloud resources.
Add inbound rules to allow specific incoming traffic like HTTP or SSH.
Add outbound rules to allow your resources to send traffic out to the internet or other services.
Verify your rules using the describe-security-groups command to ensure correct configuration.