AWScloud~5 mins

Security group as virtual firewall in AWS - Commands & Configuration

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Introduction

When you run servers in the cloud, you need to control who can talk to them. A security group acts like a virtual fence that lets you allow or block traffic to your servers based on rules you set.

When you want to allow only certain computers or apps to connect to your cloud server.

When you need to block all traffic except specific ports like web or database ports.

When you want to quickly change access rules without touching the server itself.

When you want to protect your cloud servers from unwanted internet traffic.

When you want to group servers with the same access rules for easier management.

Config File - security-group.json

security-group.json

{
  "GroupName": "example-security-group",
  "Description": "Allow HTTP and SSH access",
  "VpcId": "vpc-0abcd1234efgh5678",
  "IpPermissions": [
    {
      "IpProtocol": "tcp",
      "FromPort": 22,
      "ToPort": 22,
      "IpRanges": [{"CidrIp": "0.0.0.0/0"}]
    },
    {
      "IpProtocol": "tcp",
      "FromPort": 80,
      "ToPort": 80,
      "IpRanges": [{"CidrIp": "0.0.0.0/0"}]
    }
  ]
}

GroupName: The name of the security group.

Description: A short note about what this group does.

VpcId: The ID of the virtual network where this group applies.

IpPermissions: The list of rules that allow traffic. Here, it allows SSH on port 22 and HTTP on port 80 from anywhere.

Commands

This command creates a new security group named 'example-security-group' in the specified virtual network.

Terminal

aws ec2 create-security-group --group-name example-security-group --description "Allow HTTP and SSH access" --vpc-id vpc-0abcd1234efgh5678

Expected OutputExpected

{ "GroupId": "sg-0123456789abcdef0" }

→

--group-name - Sets the name of the security group.

→

--description - Describes the purpose of the security group.

→

--vpc-id - Specifies the virtual private cloud where the group will be created.

This command adds a rule to allow SSH access (port 22) from any IP address to the security group.

Terminal

aws ec2 authorize-security-group-ingress --group-id sg-0123456789abcdef0 --protocol tcp --port 22 --cidr 0.0.0.0/0

Expected OutputExpected

No output (command runs silently)

→

--group-id - Specifies which security group to update.

→

--protocol - Sets the network protocol (TCP here).

→

--port - Sets the port number to allow.

→

--cidr - Defines the IP range allowed to connect.

This command adds a rule to allow HTTP access (port 80) from any IP address to the security group.

Terminal

aws ec2 authorize-security-group-ingress --group-id sg-0123456789abcdef0 --protocol tcp --port 80 --cidr 0.0.0.0/0

Expected OutputExpected

No output (command runs silently)

→

--group-id - Specifies which security group to update.

→

--protocol - Sets the network protocol (TCP here).

→

--port - Sets the port number to allow.

→

--cidr - Defines the IP range allowed to connect.

This command shows the details of the security group including its rules to verify the setup.

Terminal

aws ec2 describe-security-groups --group-ids sg-0123456789abcdef0

Expected OutputExpected

{ "SecurityGroups": [ { "GroupId": "sg-0123456789abcdef0", "GroupName": "example-security-group", "Description": "Allow HTTP and SSH access", "IpPermissions": [ { "IpProtocol": "tcp", "FromPort": 22, "ToPort": 22, "IpRanges": [ { "CidrIp": "0.0.0.0/0" } ] }, { "IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "IpRanges": [ { "CidrIp": "0.0.0.0/0" } ] } ] } ] }

→

--group-ids - Specifies which security group to describe.

Key Concept

If you remember nothing else from this pattern, remember: security groups control who can connect to your cloud servers by setting simple allow rules for traffic.

Common Mistakes

Allowing SSH access from 0.0.0.0/0 without restrictions

This opens your server to the entire internet, increasing risk of unauthorized access.

Limit SSH access to known IP addresses or use VPNs for safer connections.

Forgetting to add rules for required ports after creating the security group

Without rules, no traffic can reach your server, making it unreachable.

Always add ingress rules for the ports your application needs immediately after creating the group.

Using the wrong security group ID in commands

Commands will fail or update the wrong group, causing confusion and security gaps.

Copy and use the exact GroupId returned when creating or describing the security group.

Summary

Create a security group to act as a virtual firewall for your cloud servers.

Add ingress rules to allow traffic on specific ports like SSH (22) and HTTP (80).

Verify the security group rules to ensure correct access control.