0
0
AWScloud~5 mins

Stateful behavior of security groups in AWS - Commands & Configuration

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Introduction
Security groups control network traffic to and from resources in the cloud. Their stateful nature means responses to allowed inbound traffic are automatically allowed outbound, simplifying network rules.
When you want to allow web traffic to a server and automatically allow the server to respond without extra rules.
When you need to secure a database instance but allow clients to connect and receive responses.
When you want to simplify firewall rules by not having to specify both inbound and outbound rules for the same connection.
When you want to control traffic to your cloud resources without managing complex rule sets.
When you want to ensure return traffic is allowed only if the original request was permitted.
Commands
This command creates a new security group named 'my-web-sg' in the specified VPC to control traffic for a web server.
Terminal
aws ec2 create-security-group --group-name my-web-sg --description "Security group for web server" --vpc-id vpc-0abcd1234efgh5678
Expected OutputExpected
{ "GroupId": "sg-0123456789abcdef0" }
--group-name - Sets the name of the security group.
--description - Provides a description for the security group.
--vpc-id - Specifies the VPC where the security group is created.
This command allows inbound HTTP traffic on port 80 from any IP address to the security group.
Terminal
aws ec2 authorize-security-group-ingress --group-id sg-0123456789abcdef0 --protocol tcp --port 80 --cidr 0.0.0.0/0
Expected OutputExpected
No output (command runs silently)
--group-id - Specifies the security group to update.
--protocol - Sets the protocol to TCP.
--port - Allows traffic on port 80.
--cidr - Allows traffic from all IP addresses.
This command shows the details of the security group, including inbound rules. Outbound rules are open by default.
Terminal
aws ec2 describe-security-groups --group-ids sg-0123456789abcdef0
Expected OutputExpected
{ "SecurityGroups": [ { "GroupId": "sg-0123456789abcdef0", "GroupName": "my-web-sg", "Description": "Security group for web server", "IpPermissions": [ { "IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "IpRanges": [ { "CidrIp": "0.0.0.0/0" } ] } ], "IpPermissionsEgress": [ { "IpProtocol": "-1", "IpRanges": [ { "CidrIp": "0.0.0.0/0" } ] } ] } ] }
--group-ids - Specifies the security group to describe.
This command removes the default outbound rule that allows all outbound traffic, showing that responses to inbound traffic are still allowed because of stateful behavior.
Terminal
aws ec2 revoke-security-group-egress --group-id sg-0123456789abcdef0 --protocol -1 --cidr 0.0.0.0/0
Expected OutputExpected
No output (command runs silently)
--group-id - Specifies the security group to update.
--protocol - Specifies all protocols with -1.
--cidr - Removes outbound access to all IP addresses.
This command confirms the outbound rule removal. Despite no outbound rules, return traffic for allowed inbound connections is still permitted due to stateful behavior.
Terminal
aws ec2 describe-security-groups --group-ids sg-0123456789abcdef0
Expected OutputExpected
{ "SecurityGroups": [ { "GroupId": "sg-0123456789abcdef0", "GroupName": "my-web-sg", "Description": "Security group for web server", "IpPermissions": [ { "IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "IpRanges": [ { "CidrIp": "0.0.0.0/0" } ] } ], "IpPermissionsEgress": [] } ] }
--group-ids - Specifies the security group to describe.
Key Concept

Security groups remember allowed inbound connections and automatically allow the matching outbound responses without extra rules.

Common Mistakes
Trying to add outbound rules to allow response traffic after allowing inbound traffic.
Security groups are stateful, so response traffic is allowed automatically, making outbound rules for responses unnecessary.
Only add outbound rules if you want to initiate outbound connections, not for responses to inbound traffic.
Removing all outbound rules and expecting no outbound traffic at all.
Even without outbound rules, response traffic to allowed inbound connections is permitted due to stateful behavior.
Understand that outbound rules control new outbound connections, not responses to inbound traffic.
Summary
Create a security group to control network traffic for your resource.
Add inbound rules to allow specific incoming traffic like HTTP on port 80.
Security groups automatically allow return traffic for allowed inbound connections without extra outbound rules.
You can remove default outbound rules and still have response traffic allowed because security groups are stateful.
Use describe commands to verify your security group rules and understand their stateful behavior.