Bird
Raised Fist0
AWScloud~30 mins

Security group as virtual firewall in AWS - Mini Project: Build & Apply

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Security group as virtual firewall
📖 Scenario: You are setting up a simple virtual firewall for a web server in the cloud. This firewall will control which network traffic is allowed to reach the server.
🎯 Goal: Create an AWS security group that allows incoming HTTP traffic on port 80 from anywhere and SSH traffic on port 22 only from a specific IP address.
📋 What You'll Learn
Create a security group named web-server-sg
Allow inbound HTTP traffic on port 80 from 0.0.0.0/0
Add a variable ssh_allowed_ip with the value 203.0.113.5/32
Allow inbound SSH traffic on port 22 only from the IP address in ssh_allowed_ip
Set the security group description to Web server security group
💡 Why This Matters
🌍 Real World
Security groups act like virtual firewalls controlling traffic to cloud servers. Setting them up correctly protects servers from unwanted access.
💼 Career
Cloud engineers and DevOps professionals regularly create and manage security groups to secure cloud infrastructure.
Progress0 / 4 steps
1
Create the security group resource
Create an AWS security group resource named web_server_sg with the name web-server-sg and description Web server security group.
AWS
Hint

Use resource "aws_security_group" "web_server_sg" {} with name and description inside.

2
Add the SSH allowed IP variable
Add a variable named ssh_allowed_ip with the value "203.0.113.5/32".
AWS
Hint

Use variable "ssh_allowed_ip" { default = "203.0.113.5/32" } to define the IP.

3
Add inbound rule for HTTP traffic
Inside the web_server_sg resource, add an ingress block that allows TCP traffic on port 80 from 0.0.0.0/0.
AWS
Hint

Use an ingress block with from_port, to_port, protocol, and cidr_blocks.

4
Add inbound rule for SSH traffic from allowed IP
Inside the web_server_sg resource, add another ingress block that allows TCP traffic on port 22 from the IP address stored in the variable ssh_allowed_ip.
AWS
Hint

Use another ingress block with cidr_blocks = [var.ssh_allowed_ip] to allow SSH only from that IP.

Practice

(1/5)
1. What is the primary purpose of a security group in AWS?
easy
A. To act as a virtual firewall controlling traffic to resources
B. To store data securely in the cloud
C. To manage user permissions and roles
D. To monitor resource usage and billing

Solution

  1. Step 1: Understand the role of security groups

    Security groups control network traffic to and from AWS resources, acting like firewalls.

  2. Step 2: Differentiate from other AWS services

    Security groups do not store data, manage permissions, or monitor billing; those are other services.

  3. Final Answer:

    To act as a virtual firewall controlling traffic to resources -> Option A

  4. Quick Check:

    Security group = virtual firewall [OK]
Hint: Security groups control traffic, not data or users [OK]
Common Mistakes:
  • Confusing security groups with IAM roles
  • Thinking security groups store data
  • Mixing security groups with billing tools
2. Which of the following is the correct way to allow incoming HTTP traffic on port 80 in a security group ingress rule?
easy
A. Protocol: UDP, Port Range: 80, Source: 0.0.0.0/0
B. Protocol: ICMP, Port Range: 80, Source: 0.0.0.0/0
C. Protocol: TCP, Port Range: 22, Source: 0.0.0.0/0
D. Protocol: TCP, Port Range: 80, Source: 0.0.0.0/0

Solution

  1. Step 1: Identify the correct protocol and port for HTTP

    HTTP uses TCP protocol on port 80.

  2. Step 2: Confirm the source IP range for open access

    0.0.0.0/0 means allow from any IP address.

  3. Final Answer:

    Protocol: TCP, Port Range: 80, Source: 0.0.0.0/0 -> Option D

  4. Quick Check:

    HTTP = TCP port 80 [OK]
Hint: HTTP always uses TCP port 80 for ingress [OK]
Common Mistakes:
  • Using UDP instead of TCP for HTTP
  • Using wrong port like 22 for HTTP
  • Confusing ICMP with TCP/UDP protocols
3. Given this security group ingress rule: Protocol: TCP, Port Range: 22, Source: 203.0.113.0/24, which of the following IP addresses is allowed to connect via SSH?
medium
A. 203.0.114.10
B. 203.0.113.45
C. 192.168.1.1
D. 0.0.0.0

Solution

  1. Step 1: Understand the CIDR range 203.0.113.0/24

    This range includes all IPs from 203.0.113.0 to 203.0.113.255.

  2. Step 2: Check which IP falls inside this range

    203.0.113.45 is inside the range; others are outside.

  3. Final Answer:

    203.0.113.45 -> Option B

  4. Quick Check:

    IP in 203.0.113.0/24 allowed [OK]
Hint: Check if IP fits CIDR range to allow access [OK]
Common Mistakes:
  • Assuming 203.0.114.x is inside 203.0.113.0/24
  • Confusing 0.0.0.0 with a valid IP
  • Not understanding CIDR notation
4. You created a security group with this ingress rule: Protocol: TCP, Port Range: 443, Source: 0.0.0.0/0. However, HTTPS traffic is still blocked. What is the most likely reason?
medium
A. The instance's network ACL blocks port 443
B. Security groups do not control HTTPS traffic
C. The source IP range 0.0.0.0/0 is invalid
D. Port 443 is only for HTTP, not HTTPS

Solution

  1. Step 1: Confirm security group rule allows HTTPS

    Protocol TCP, port 443, source 0.0.0.0/0 allows HTTPS traffic from anywhere.

  2. Step 2: Identify other network controls

    Network ACLs can block traffic even if security group allows it.

  3. Final Answer:

    The instance's network ACL blocks port 443 -> Option A

  4. Quick Check:

    Network ACL can override security group [OK]
Hint: Check network ACL if security group allows but traffic blocked [OK]
Common Mistakes:
  • Thinking security groups don't control HTTPS
  • Believing 0.0.0.0/0 is invalid
  • Confusing port 443 with HTTP port 80
5. You want to restrict SSH access to your EC2 instance so only your office IP 198.51.100.25 can connect. Which security group ingress rule should you configure?
hard
A. Protocol: TCP, Port Range: 22, Source: 0.0.0.0/0
B. Protocol: UDP, Port Range: 22, Source: 198.51.100.25/32
C. Protocol: TCP, Port Range: 22, Source: 198.51.100.25/32
D. Protocol: TCP, Port Range: 80, Source: 198.51.100.25/32

Solution

  1. Step 1: Identify correct protocol and port for SSH

    SSH uses TCP protocol on port 22.

  2. Step 2: Restrict source IP to single address

    Use CIDR /32 to specify exactly one IP address (198.51.100.25/32).

  3. Final Answer:

    Protocol: TCP, Port Range: 22, Source: 198.51.100.25/32 -> Option C

  4. Quick Check:

    SSH restricted to one IP with /32 [OK]
Hint: Use /32 CIDR to allow single IP only [OK]
Common Mistakes:
  • Allowing all IPs with 0.0.0.0/0
  • Using UDP instead of TCP for SSH
  • Using wrong port like 80 for SSH