Bird
Raised Fist0
AWScloud~5 mins

Security group as virtual firewall in AWS - Commands & Configuration

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Introduction
When you run servers in the cloud, you need to control who can talk to them. A security group acts like a virtual fence that lets you allow or block traffic to your servers based on rules you set.
When you want to allow only certain computers or apps to connect to your cloud server.
When you need to block all traffic except specific ports like web or database ports.
When you want to quickly change access rules without touching the server itself.
When you want to protect your cloud servers from unwanted internet traffic.
When you want to group servers with the same access rules for easier management.
Config File - security-group.json
security-group.json
{
  "GroupName": "example-security-group",
  "Description": "Allow HTTP and SSH access",
  "VpcId": "vpc-0abcd1234efgh5678",
  "IpPermissions": [
    {
      "IpProtocol": "tcp",
      "FromPort": 22,
      "ToPort": 22,
      "IpRanges": [{"CidrIp": "0.0.0.0/0"}]
    },
    {
      "IpProtocol": "tcp",
      "FromPort": 80,
      "ToPort": 80,
      "IpRanges": [{"CidrIp": "0.0.0.0/0"}]
    }
  ]
}

GroupName: The name of the security group.

Description: A short note about what this group does.

VpcId: The ID of the virtual network where this group applies.

IpPermissions: The list of rules that allow traffic. Here, it allows SSH on port 22 and HTTP on port 80 from anywhere.

Commands
This command creates a new security group named 'example-security-group' in the specified virtual network.
Terminal
aws ec2 create-security-group --group-name example-security-group --description "Allow HTTP and SSH access" --vpc-id vpc-0abcd1234efgh5678
Expected OutputExpected
{ "GroupId": "sg-0123456789abcdef0" }
--group-name - Sets the name of the security group.
--description - Describes the purpose of the security group.
--vpc-id - Specifies the virtual private cloud where the group will be created.
This command adds a rule to allow SSH access (port 22) from any IP address to the security group.
Terminal
aws ec2 authorize-security-group-ingress --group-id sg-0123456789abcdef0 --protocol tcp --port 22 --cidr 0.0.0.0/0
Expected OutputExpected
No output (command runs silently)
--group-id - Specifies which security group to update.
--protocol - Sets the network protocol (TCP here).
--port - Sets the port number to allow.
--cidr - Defines the IP range allowed to connect.
This command adds a rule to allow HTTP access (port 80) from any IP address to the security group.
Terminal
aws ec2 authorize-security-group-ingress --group-id sg-0123456789abcdef0 --protocol tcp --port 80 --cidr 0.0.0.0/0
Expected OutputExpected
No output (command runs silently)
--group-id - Specifies which security group to update.
--protocol - Sets the network protocol (TCP here).
--port - Sets the port number to allow.
--cidr - Defines the IP range allowed to connect.
This command shows the details of the security group including its rules to verify the setup.
Terminal
aws ec2 describe-security-groups --group-ids sg-0123456789abcdef0
Expected OutputExpected
{ "SecurityGroups": [ { "GroupId": "sg-0123456789abcdef0", "GroupName": "example-security-group", "Description": "Allow HTTP and SSH access", "IpPermissions": [ { "IpProtocol": "tcp", "FromPort": 22, "ToPort": 22, "IpRanges": [ { "CidrIp": "0.0.0.0/0" } ] }, { "IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "IpRanges": [ { "CidrIp": "0.0.0.0/0" } ] } ] } ] }
--group-ids - Specifies which security group to describe.
Key Concept

If you remember nothing else from this pattern, remember: security groups control who can connect to your cloud servers by setting simple allow rules for traffic.

Common Mistakes
Allowing SSH access from 0.0.0.0/0 without restrictions
This opens your server to the entire internet, increasing risk of unauthorized access.
Limit SSH access to known IP addresses or use VPNs for safer connections.
Forgetting to add rules for required ports after creating the security group
Without rules, no traffic can reach your server, making it unreachable.
Always add ingress rules for the ports your application needs immediately after creating the group.
Using the wrong security group ID in commands
Commands will fail or update the wrong group, causing confusion and security gaps.
Copy and use the exact GroupId returned when creating or describing the security group.
Summary
Create a security group to act as a virtual firewall for your cloud servers.
Add ingress rules to allow traffic on specific ports like SSH (22) and HTTP (80).
Verify the security group rules to ensure correct access control.

Practice

(1/5)
1. What is the primary purpose of a security group in AWS?
easy
A. To act as a virtual firewall controlling traffic to resources
B. To store data securely in the cloud
C. To manage user permissions and roles
D. To monitor resource usage and billing

Solution

  1. Step 1: Understand the role of security groups

    Security groups control network traffic to and from AWS resources, acting like firewalls.

  2. Step 2: Differentiate from other AWS services

    Security groups do not store data, manage permissions, or monitor billing; those are other services.

  3. Final Answer:

    To act as a virtual firewall controlling traffic to resources -> Option A

  4. Quick Check:

    Security group = virtual firewall [OK]
Hint: Security groups control traffic, not data or users [OK]
Common Mistakes:
  • Confusing security groups with IAM roles
  • Thinking security groups store data
  • Mixing security groups with billing tools
2. Which of the following is the correct way to allow incoming HTTP traffic on port 80 in a security group ingress rule?
easy
A. Protocol: UDP, Port Range: 80, Source: 0.0.0.0/0
B. Protocol: ICMP, Port Range: 80, Source: 0.0.0.0/0
C. Protocol: TCP, Port Range: 22, Source: 0.0.0.0/0
D. Protocol: TCP, Port Range: 80, Source: 0.0.0.0/0

Solution

  1. Step 1: Identify the correct protocol and port for HTTP

    HTTP uses TCP protocol on port 80.

  2. Step 2: Confirm the source IP range for open access

    0.0.0.0/0 means allow from any IP address.

  3. Final Answer:

    Protocol: TCP, Port Range: 80, Source: 0.0.0.0/0 -> Option D

  4. Quick Check:

    HTTP = TCP port 80 [OK]
Hint: HTTP always uses TCP port 80 for ingress [OK]
Common Mistakes:
  • Using UDP instead of TCP for HTTP
  • Using wrong port like 22 for HTTP
  • Confusing ICMP with TCP/UDP protocols
3. Given this security group ingress rule: Protocol: TCP, Port Range: 22, Source: 203.0.113.0/24, which of the following IP addresses is allowed to connect via SSH?
medium
A. 203.0.114.10
B. 203.0.113.45
C. 192.168.1.1
D. 0.0.0.0

Solution

  1. Step 1: Understand the CIDR range 203.0.113.0/24

    This range includes all IPs from 203.0.113.0 to 203.0.113.255.

  2. Step 2: Check which IP falls inside this range

    203.0.113.45 is inside the range; others are outside.

  3. Final Answer:

    203.0.113.45 -> Option B

  4. Quick Check:

    IP in 203.0.113.0/24 allowed [OK]
Hint: Check if IP fits CIDR range to allow access [OK]
Common Mistakes:
  • Assuming 203.0.114.x is inside 203.0.113.0/24
  • Confusing 0.0.0.0 with a valid IP
  • Not understanding CIDR notation
4. You created a security group with this ingress rule: Protocol: TCP, Port Range: 443, Source: 0.0.0.0/0. However, HTTPS traffic is still blocked. What is the most likely reason?
medium
A. The instance's network ACL blocks port 443
B. Security groups do not control HTTPS traffic
C. The source IP range 0.0.0.0/0 is invalid
D. Port 443 is only for HTTP, not HTTPS

Solution

  1. Step 1: Confirm security group rule allows HTTPS

    Protocol TCP, port 443, source 0.0.0.0/0 allows HTTPS traffic from anywhere.

  2. Step 2: Identify other network controls

    Network ACLs can block traffic even if security group allows it.

  3. Final Answer:

    The instance's network ACL blocks port 443 -> Option A

  4. Quick Check:

    Network ACL can override security group [OK]
Hint: Check network ACL if security group allows but traffic blocked [OK]
Common Mistakes:
  • Thinking security groups don't control HTTPS
  • Believing 0.0.0.0/0 is invalid
  • Confusing port 443 with HTTP port 80
5. You want to restrict SSH access to your EC2 instance so only your office IP 198.51.100.25 can connect. Which security group ingress rule should you configure?
hard
A. Protocol: TCP, Port Range: 22, Source: 0.0.0.0/0
B. Protocol: UDP, Port Range: 22, Source: 198.51.100.25/32
C. Protocol: TCP, Port Range: 22, Source: 198.51.100.25/32
D. Protocol: TCP, Port Range: 80, Source: 198.51.100.25/32

Solution

  1. Step 1: Identify correct protocol and port for SSH

    SSH uses TCP protocol on port 22.

  2. Step 2: Restrict source IP to single address

    Use CIDR /32 to specify exactly one IP address (198.51.100.25/32).

  3. Final Answer:

    Protocol: TCP, Port Range: 22, Source: 198.51.100.25/32 -> Option C

  4. Quick Check:

    SSH restricted to one IP with /32 [OK]
Hint: Use /32 CIDR to allow single IP only [OK]
Common Mistakes:
  • Allowing all IPs with 0.0.0.0/0
  • Using UDP instead of TCP for SSH
  • Using wrong port like 80 for SSH