Bird
Raised Fist0
AWScloud~10 mins

Security group as virtual firewall in AWS - Step-by-Step Execution

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Process Flow - Security group as virtual firewall
Create Security Group
Define Inbound Rules
Define Outbound Rules
Attach Security Group to Instance
Traffic Arrives at Instance
Check Inbound Rules
Allow Traffic
This flow shows how a security group is created, rules are set, attached to an instance, and then how incoming traffic is checked against rules to allow or block it.
Execution Sample
AWS
Create SG "web-sg"
Add inbound rule: TCP 80 from 0.0.0.0/0
Add outbound rule: All traffic allowed
Attach SG to EC2 instance
Incoming TCP 80 request arrives
This example creates a security group allowing web traffic on port 80, attaches it to an instance, and processes an incoming web request.
Process Table
StepActionRule CheckedTraffic PortSource IPResult
1Create security group 'web-sg'N/AN/AN/ASG created with no rules
2Add inbound rule TCP 80 from 0.0.0.0/0Inbound800.0.0.0/0Rule added
3Add outbound rule all traffic allowedOutboundAllAllRule added
4Attach SG to EC2 instanceN/AN/AN/ASG attached
5Incoming TCP 80 request from 203.0.113.5Inbound80203.0.113.5Allowed (matches rule)
6Incoming TCP 22 request from 203.0.113.5Inbound22203.0.113.5Denied (no matching rule)
💡 Traffic denied if no inbound rule matches; allowed only if rules explicitly permit.
Status Tracker
VariableStartAfter Step 2After Step 3After Step 4After Step 5After Step 6
Security Group Rules{}{"Inbound": [{"Protocol": "TCP", "Port": 80, "Source": "0.0.0.0/0"}]}{"Inbound": [{"Protocol": "TCP", "Port": 80, "Source": "0.0.0.0/0"}], "Outbound": [{"Protocol": "All", "Port": "All", "Destination": "All"}]}Attached to instanceNo changeNo change
Incoming TrafficNoneNoneNoneNone{"Port": 80, "Source": "203.0.113.5"}{"Port": 22, "Source": "203.0.113.5"}
Traffic Allowed?N/AN/AN/AN/AYesNo
Key Moments - 2 Insights
Why is the TCP 22 request denied even though the security group allows all outbound traffic?
Inbound and outbound rules are checked separately. The TCP 22 request is inbound and no inbound rule allows port 22, so it is denied as shown in step 6 of the execution_table.
Does the security group block traffic by default if no rule matches?
Yes, security groups are deny-by-default. Only traffic explicitly allowed by inbound or outbound rules passes, as seen in step 6 where port 22 is denied.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution_table, what is the result for incoming TCP 80 traffic at step 5?
ADenied because no outbound rule matches
BDenied because source IP is blocked
CAllowed because it matches an inbound rule
DAllowed because all traffic is allowed by default
💡 Hint
Check row 5 in execution_table under 'Result' column
At which step is the security group attached to the EC2 instance?
AStep 4
BStep 3
CStep 2
DStep 5
💡 Hint
Look for the action 'Attach SG to EC2 instance' in execution_table
If we add an inbound rule allowing TCP 22 from 0.0.0.0/0, how would the result at step 6 change?
AIt would still be denied
BIt would be allowed
CIt would be blocked by outbound rules
DIt would cause an error
💡 Hint
Refer to variable_tracker and execution_table step 6 about rule matching
Concept Snapshot
Security groups act like virtual firewalls controlling inbound and outbound traffic.
Rules specify allowed protocols, ports, and sources/destinations.
Traffic not matching rules is blocked by default.
Attach security groups to instances to enforce rules.
Inbound and outbound rules are checked separately.
Full Transcript
This visual execution shows how a security group is created and configured with inbound and outbound rules. The security group is then attached to an EC2 instance. Incoming traffic is checked against inbound rules to decide if it is allowed or denied. Traffic on TCP port 80 from any IP is allowed because of the inbound rule. Traffic on TCP port 22 is denied because no inbound rule allows it. Outbound rules do not affect inbound traffic. Security groups block all traffic by default unless explicitly allowed.

Practice

(1/5)
1. What is the primary purpose of a security group in AWS?
easy
A. To act as a virtual firewall controlling traffic to resources
B. To store data securely in the cloud
C. To manage user permissions and roles
D. To monitor resource usage and billing

Solution

  1. Step 1: Understand the role of security groups

    Security groups control network traffic to and from AWS resources, acting like firewalls.

  2. Step 2: Differentiate from other AWS services

    Security groups do not store data, manage permissions, or monitor billing; those are other services.

  3. Final Answer:

    To act as a virtual firewall controlling traffic to resources -> Option A

  4. Quick Check:

    Security group = virtual firewall [OK]
Hint: Security groups control traffic, not data or users [OK]
Common Mistakes:
  • Confusing security groups with IAM roles
  • Thinking security groups store data
  • Mixing security groups with billing tools
2. Which of the following is the correct way to allow incoming HTTP traffic on port 80 in a security group ingress rule?
easy
A. Protocol: UDP, Port Range: 80, Source: 0.0.0.0/0
B. Protocol: ICMP, Port Range: 80, Source: 0.0.0.0/0
C. Protocol: TCP, Port Range: 22, Source: 0.0.0.0/0
D. Protocol: TCP, Port Range: 80, Source: 0.0.0.0/0

Solution

  1. Step 1: Identify the correct protocol and port for HTTP

    HTTP uses TCP protocol on port 80.

  2. Step 2: Confirm the source IP range for open access

    0.0.0.0/0 means allow from any IP address.

  3. Final Answer:

    Protocol: TCP, Port Range: 80, Source: 0.0.0.0/0 -> Option D

  4. Quick Check:

    HTTP = TCP port 80 [OK]
Hint: HTTP always uses TCP port 80 for ingress [OK]
Common Mistakes:
  • Using UDP instead of TCP for HTTP
  • Using wrong port like 22 for HTTP
  • Confusing ICMP with TCP/UDP protocols
3. Given this security group ingress rule: Protocol: TCP, Port Range: 22, Source: 203.0.113.0/24, which of the following IP addresses is allowed to connect via SSH?
medium
A. 203.0.114.10
B. 203.0.113.45
C. 192.168.1.1
D. 0.0.0.0

Solution

  1. Step 1: Understand the CIDR range 203.0.113.0/24

    This range includes all IPs from 203.0.113.0 to 203.0.113.255.

  2. Step 2: Check which IP falls inside this range

    203.0.113.45 is inside the range; others are outside.

  3. Final Answer:

    203.0.113.45 -> Option B

  4. Quick Check:

    IP in 203.0.113.0/24 allowed [OK]
Hint: Check if IP fits CIDR range to allow access [OK]
Common Mistakes:
  • Assuming 203.0.114.x is inside 203.0.113.0/24
  • Confusing 0.0.0.0 with a valid IP
  • Not understanding CIDR notation
4. You created a security group with this ingress rule: Protocol: TCP, Port Range: 443, Source: 0.0.0.0/0. However, HTTPS traffic is still blocked. What is the most likely reason?
medium
A. The instance's network ACL blocks port 443
B. Security groups do not control HTTPS traffic
C. The source IP range 0.0.0.0/0 is invalid
D. Port 443 is only for HTTP, not HTTPS

Solution

  1. Step 1: Confirm security group rule allows HTTPS

    Protocol TCP, port 443, source 0.0.0.0/0 allows HTTPS traffic from anywhere.

  2. Step 2: Identify other network controls

    Network ACLs can block traffic even if security group allows it.

  3. Final Answer:

    The instance's network ACL blocks port 443 -> Option A

  4. Quick Check:

    Network ACL can override security group [OK]
Hint: Check network ACL if security group allows but traffic blocked [OK]
Common Mistakes:
  • Thinking security groups don't control HTTPS
  • Believing 0.0.0.0/0 is invalid
  • Confusing port 443 with HTTP port 80
5. You want to restrict SSH access to your EC2 instance so only your office IP 198.51.100.25 can connect. Which security group ingress rule should you configure?
hard
A. Protocol: TCP, Port Range: 22, Source: 0.0.0.0/0
B. Protocol: UDP, Port Range: 22, Source: 198.51.100.25/32
C. Protocol: TCP, Port Range: 22, Source: 198.51.100.25/32
D. Protocol: TCP, Port Range: 80, Source: 198.51.100.25/32

Solution

  1. Step 1: Identify correct protocol and port for SSH

    SSH uses TCP protocol on port 22.

  2. Step 2: Restrict source IP to single address

    Use CIDR /32 to specify exactly one IP address (198.51.100.25/32).

  3. Final Answer:

    Protocol: TCP, Port Range: 22, Source: 198.51.100.25/32 -> Option C

  4. Quick Check:

    SSH restricted to one IP with /32 [OK]
Hint: Use /32 CIDR to allow single IP only [OK]
Common Mistakes:
  • Allowing all IPs with 0.0.0.0/0
  • Using UDP instead of TCP for SSH
  • Using wrong port like 80 for SSH