Bird
Raised Fist0
AWScloud~5 mins

Security group as virtual firewall in AWS - Time & Space Complexity

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Time Complexity: Security group as virtual firewall
O(n)
Understanding Time Complexity

When using security groups as virtual firewalls, it is important to understand how the time to apply rules grows as you add more rules or instances.

We want to know how the number of rules affects the time it takes to enforce security.

Scenario Under Consideration

Analyze the time complexity of applying security group rules to multiple instances.


# Create a security group
aws ec2 create-security-group --group-name MySG --description "My security group"

# Add inbound rules
aws ec2 authorize-security-group-ingress --group-name MySG --protocol tcp --port 80 --cidr 0.0.0.0/0
aws ec2 authorize-security-group-ingress --group-name MySG --protocol tcp --port 22 --cidr 192.168.1.0/24

# Attach security group to instances
aws ec2 modify-instance-attribute --instance-id i-1234567890abcdef0 --groups sg-12345678
aws ec2 modify-instance-attribute --instance-id i-0987654321fedcba0 --groups sg-12345678

This sequence creates a security group, adds rules, and attaches it to multiple instances.

Identify Repeating Operations

Look at what happens repeatedly when scaling.

  • Primary operation: Attaching the security group to each instance.
  • How many times: Once per instance.
  • Rule application: Adding rules happens once per security group, not per instance.
How Execution Grows With Input

As you add more instances, you must attach the security group to each one separately.

Input Size (n)Approx. Api Calls/Operations
10 instances10 attach calls + 1 create + 2 rule adds = 13
100 instances100 attach calls + 1 create + 2 rule adds = 103
1000 instances1000 attach calls + 1 create + 2 rule adds = 1003

Pattern observation: The number of attach operations grows directly with the number of instances.

Final Time Complexity

Time Complexity: O(n)

This means the time to apply security groups grows linearly with the number of instances.

Common Mistake

[X] Wrong: "Adding more rules will slow down attaching security groups to instances significantly."

[OK] Correct: Rules are added once per security group, not per instance. Attaching the group to instances is what scales with instance count.

Interview Connect

Understanding how security group operations scale helps you design efficient cloud setups and explain your reasoning clearly in discussions.

Self-Check

What if we attached multiple security groups to each instance? How would the time complexity change?

Practice

(1/5)
1. What is the primary purpose of a security group in AWS?
easy
A. To act as a virtual firewall controlling traffic to resources
B. To store data securely in the cloud
C. To manage user permissions and roles
D. To monitor resource usage and billing

Solution

  1. Step 1: Understand the role of security groups

    Security groups control network traffic to and from AWS resources, acting like firewalls.

  2. Step 2: Differentiate from other AWS services

    Security groups do not store data, manage permissions, or monitor billing; those are other services.

  3. Final Answer:

    To act as a virtual firewall controlling traffic to resources -> Option A

  4. Quick Check:

    Security group = virtual firewall [OK]
Hint: Security groups control traffic, not data or users [OK]
Common Mistakes:
  • Confusing security groups with IAM roles
  • Thinking security groups store data
  • Mixing security groups with billing tools
2. Which of the following is the correct way to allow incoming HTTP traffic on port 80 in a security group ingress rule?
easy
A. Protocol: UDP, Port Range: 80, Source: 0.0.0.0/0
B. Protocol: ICMP, Port Range: 80, Source: 0.0.0.0/0
C. Protocol: TCP, Port Range: 22, Source: 0.0.0.0/0
D. Protocol: TCP, Port Range: 80, Source: 0.0.0.0/0

Solution

  1. Step 1: Identify the correct protocol and port for HTTP

    HTTP uses TCP protocol on port 80.

  2. Step 2: Confirm the source IP range for open access

    0.0.0.0/0 means allow from any IP address.

  3. Final Answer:

    Protocol: TCP, Port Range: 80, Source: 0.0.0.0/0 -> Option D

  4. Quick Check:

    HTTP = TCP port 80 [OK]
Hint: HTTP always uses TCP port 80 for ingress [OK]
Common Mistakes:
  • Using UDP instead of TCP for HTTP
  • Using wrong port like 22 for HTTP
  • Confusing ICMP with TCP/UDP protocols
3. Given this security group ingress rule: Protocol: TCP, Port Range: 22, Source: 203.0.113.0/24, which of the following IP addresses is allowed to connect via SSH?
medium
A. 203.0.114.10
B. 203.0.113.45
C. 192.168.1.1
D. 0.0.0.0

Solution

  1. Step 1: Understand the CIDR range 203.0.113.0/24

    This range includes all IPs from 203.0.113.0 to 203.0.113.255.

  2. Step 2: Check which IP falls inside this range

    203.0.113.45 is inside the range; others are outside.

  3. Final Answer:

    203.0.113.45 -> Option B

  4. Quick Check:

    IP in 203.0.113.0/24 allowed [OK]
Hint: Check if IP fits CIDR range to allow access [OK]
Common Mistakes:
  • Assuming 203.0.114.x is inside 203.0.113.0/24
  • Confusing 0.0.0.0 with a valid IP
  • Not understanding CIDR notation
4. You created a security group with this ingress rule: Protocol: TCP, Port Range: 443, Source: 0.0.0.0/0. However, HTTPS traffic is still blocked. What is the most likely reason?
medium
A. The instance's network ACL blocks port 443
B. Security groups do not control HTTPS traffic
C. The source IP range 0.0.0.0/0 is invalid
D. Port 443 is only for HTTP, not HTTPS

Solution

  1. Step 1: Confirm security group rule allows HTTPS

    Protocol TCP, port 443, source 0.0.0.0/0 allows HTTPS traffic from anywhere.

  2. Step 2: Identify other network controls

    Network ACLs can block traffic even if security group allows it.

  3. Final Answer:

    The instance's network ACL blocks port 443 -> Option A

  4. Quick Check:

    Network ACL can override security group [OK]
Hint: Check network ACL if security group allows but traffic blocked [OK]
Common Mistakes:
  • Thinking security groups don't control HTTPS
  • Believing 0.0.0.0/0 is invalid
  • Confusing port 443 with HTTP port 80
5. You want to restrict SSH access to your EC2 instance so only your office IP 198.51.100.25 can connect. Which security group ingress rule should you configure?
hard
A. Protocol: TCP, Port Range: 22, Source: 0.0.0.0/0
B. Protocol: UDP, Port Range: 22, Source: 198.51.100.25/32
C. Protocol: TCP, Port Range: 22, Source: 198.51.100.25/32
D. Protocol: TCP, Port Range: 80, Source: 198.51.100.25/32

Solution

  1. Step 1: Identify correct protocol and port for SSH

    SSH uses TCP protocol on port 22.

  2. Step 2: Restrict source IP to single address

    Use CIDR /32 to specify exactly one IP address (198.51.100.25/32).

  3. Final Answer:

    Protocol: TCP, Port Range: 22, Source: 198.51.100.25/32 -> Option C

  4. Quick Check:

    SSH restricted to one IP with /32 [OK]
Hint: Use /32 CIDR to allow single IP only [OK]
Common Mistakes:
  • Allowing all IPs with 0.0.0.0/0
  • Using UDP instead of TCP for SSH
  • Using wrong port like 80 for SSH