Bird
Raised Fist0
AWScloud~10 mins

Inbound and outbound rules in AWS - Step-by-Step Execution

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Process Flow - Inbound and outbound rules
Start: Define Security Group
Set Inbound Rules
Traffic Arrives
Check Inbound Rules
Allow Traffic
Set Outbound Rules
Traffic Leaves
Check Outbound Rules
Allow Traffic
This flow shows how inbound and outbound rules in a security group control incoming and outgoing traffic by allowing or blocking it based on defined rules.
Execution Sample
AWS
SecurityGroup:
  InboundRules:
    - Protocol: TCP
      Port: 80
      Source: 0.0.0.0/0
  OutboundRules:
    - Protocol: TCP
      Port: 443
      Destination: 0.0.0.0/0
Defines a security group allowing inbound HTTP traffic on port 80 from anywhere and outbound HTTPS traffic on port 443 to anywhere.
Process Table
StepTraffic DirectionProtocolPortSource/DestinationRule CheckResult
1InboundTCP800.0.0.0/0Matches inbound ruleAllowed
2InboundTCP220.0.0.0/0No matching inbound ruleDenied
3OutboundTCP4430.0.0.0/0Matches outbound ruleAllowed
4OutboundTCP250.0.0.0/0No matching outbound ruleDenied
5InboundUDP530.0.0.0/0No matching inbound ruleDenied
💡 Traffic is allowed only if it matches a rule; otherwise, it is denied by default.
Status Tracker
VariableStartAfter Step 1After Step 2After Step 3After Step 4After Step 5
Traffic AllowedNoneYes (Inbound TCP 80)No (Inbound TCP 22)Yes (Outbound TCP 443)No (Outbound TCP 25)No (Inbound UDP 53)
Key Moments - 3 Insights
Why is inbound TCP traffic on port 22 denied even though the source is 0.0.0.0/0?
Because there is no inbound rule allowing TCP traffic on port 22, so the default action is to deny it, as shown in execution_table row 2.
Why is outbound TCP traffic on port 25 denied despite the destination being 0.0.0.0/0?
Because the outbound rules only allow TCP traffic on port 443, so port 25 traffic is denied by default, as shown in execution_table row 4.
What happens if inbound UDP traffic on port 53 arrives?
It is denied because no inbound rule allows UDP on port 53, as shown in execution_table row 5.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution table, what is the result for inbound TCP traffic on port 80?
ABlocked by outbound rules
BAllowed
CDenied
DNo rule applied
💡 Hint
Check execution_table row 1 under 'Result' column.
At which step does the traffic get denied because no matching outbound rule exists?
AStep 4
BStep 2
CStep 1
DStep 3
💡 Hint
Look at execution_table rows with 'Outbound' direction and 'Denied' result.
If we add an inbound rule allowing UDP on port 53, how would the result at step 5 change?
AIt would be blocked by outbound rules
BIt would remain Denied
CIt would become Allowed
DIt would cause an error
💡 Hint
Refer to variable_tracker and execution_table row 5 about UDP port 53 traffic.
Concept Snapshot
Inbound and outbound rules control traffic flow in security groups.
Inbound rules filter incoming traffic; outbound rules filter outgoing traffic.
Traffic is allowed only if it matches a rule; otherwise, it is denied by default.
Rules specify protocol, port, and source/destination IP ranges.
Properly setting rules secures your cloud resources from unwanted access.
Full Transcript
Inbound and outbound rules in AWS security groups control which network traffic is allowed to enter or leave your resources. Inbound rules specify what incoming traffic is permitted based on protocol, port, and source IP. Outbound rules specify what outgoing traffic is allowed based on protocol, port, and destination IP. Traffic that does not match any rule is denied by default. For example, if you allow inbound TCP traffic on port 80 from anywhere, HTTP requests can reach your server. If you allow outbound TCP traffic on port 443, your server can make HTTPS requests. Traffic on ports or protocols not allowed by rules is blocked. This ensures your cloud resources are protected from unauthorized access while allowing necessary communication.

Practice

(1/5)
1. What do inbound rules in a security group control in AWS?
easy
A. Both incoming and outgoing traffic
B. Outgoing traffic from your resources
C. Incoming traffic to your resources
D. Traffic between AWS regions

Solution

  1. Step 1: Understand inbound rules purpose

    Inbound rules specify what incoming network traffic is allowed to reach your AWS resources.

  2. Step 2: Differentiate inbound from outbound

    Outbound rules control outgoing traffic, so inbound rules only affect incoming connections.

  3. Final Answer:

    Incoming traffic to your resources -> Option C

  4. Quick Check:

    Inbound = Incoming traffic [OK]
Hint: Inbound means incoming traffic allowed [OK]
Common Mistakes:
  • Confusing inbound with outbound rules
  • Thinking inbound controls outgoing traffic
  • Assuming inbound controls both directions
2. Which of the following is the correct way to allow HTTP traffic inbound on port 80 in an AWS security group?
easy
A. Allow TCP traffic on port 80 inbound
B. Allow TCP traffic on port 22 inbound
C. Allow UDP traffic on port 80 outbound
D. Allow ICMP traffic inbound

Solution

  1. Step 1: Identify HTTP port and protocol

    HTTP uses TCP protocol on port 80.

  2. Step 2: Match rule to allow inbound HTTP

    Allowing TCP traffic on port 80 inbound correctly permits HTTP requests.

  3. Final Answer:

    Allow TCP traffic on port 80 inbound -> Option A

  4. Quick Check:

    HTTP = TCP port 80 inbound [OK]
Hint: HTTP uses TCP port 80 inbound [OK]
Common Mistakes:
  • Using wrong port number for HTTP
  • Allowing outbound instead of inbound
  • Using UDP instead of TCP for HTTP
3. Given this security group outbound rule: Allow all traffic (all protocols) to 0.0.0.0/0, what is the effect?
medium
A. Allows outbound traffic only on port 443
B. Blocks all outbound traffic
C. Allows inbound traffic from any IP
D. Allows all outbound traffic to any IP

Solution

  1. Step 1: Analyze the outbound rule details

    The rule allows all protocols and all ports outbound to any IP address (0.0.0.0/0 means anywhere).

  2. Step 2: Understand outbound traffic effect

    This means any outbound traffic from the resource is allowed to any destination.

  3. Final Answer:

    Allows all outbound traffic to any IP -> Option D

  4. Quick Check:

    Outbound all traffic to 0.0.0.0/0 = Allow all outbound [OK]
Hint: 0.0.0.0/0 means anywhere, all protocols means all traffic [OK]
Common Mistakes:
  • Confusing inbound and outbound rules
  • Thinking it blocks traffic
  • Assuming it restricts ports
4. You created an inbound rule allowing TCP port 22 from 0.0.0.0/0 but cannot SSH into your EC2 instance. What is a likely cause?
medium
A. Security group is not attached to the instance
B. Inbound rule uses UDP instead of TCP
C. Port 22 is closed on the instance's OS firewall
D. Outbound rules block all traffic

Solution

  1. Step 1: Check security group attachment

    Even if rules are correct, if the security group is not attached to the instance, rules won't apply.

  2. Step 2: Consider other causes

    Outbound rules usually allow return traffic by default; OS firewall or protocol mismatch would cause different symptoms.

  3. Final Answer:

    Security group is not attached to the instance -> Option A

  4. Quick Check:

    Security group must be attached to instance [OK]
Hint: Check if security group is attached to instance [OK]
Common Mistakes:
  • Ignoring security group attachment
  • Assuming outbound rules block SSH
  • Not checking OS firewall settings
5. You want to allow your web server to receive HTTP requests from anywhere but restrict outbound traffic to only HTTPS (port 443). Which inbound and outbound rules should you configure?
hard
A. Inbound: Allow UDP port 80 from 0.0.0.0/0; Outbound: Allow TCP port 443 to 0.0.0.0/0
B. Inbound: Allow TCP port 80 from 0.0.0.0/0; Outbound: Allow TCP port 443 to 0.0.0.0/0
C. Inbound: Allow TCP port 443 from 0.0.0.0/0; Outbound: Allow TCP port 80 to 0.0.0.0/0
D. Inbound: Allow TCP port 80 from 192.168.0.0/24; Outbound: Allow all traffic to 0.0.0.0/0

Solution

  1. Step 1: Set inbound rule for HTTP

    Allow TCP port 80 inbound from anywhere (0.0.0.0/0) to receive HTTP requests.

  2. Step 2: Set outbound rule for HTTPS only

    Allow TCP port 443 outbound to anywhere to restrict outgoing traffic to HTTPS.

  3. Final Answer:

    Inbound: Allow TCP port 80 from 0.0.0.0/0; Outbound: Allow TCP port 443 to 0.0.0.0/0 -> Option B

  4. Quick Check:

    Inbound HTTP, outbound HTTPS only [OK]
Hint: Inbound HTTP port 80, outbound HTTPS port 443 [OK]
Common Mistakes:
  • Mixing up inbound and outbound ports
  • Using UDP instead of TCP for HTTP
  • Restricting inbound to private IPs only