How to Create Security Group for EC2 Instances in AWS
To create a
security group for an EC2 instance, use the AWS Management Console or AWS CLI to define rules that allow or block traffic. A security group acts like a virtual firewall controlling inbound and outbound network traffic for your EC2 instance.Syntax
When creating a security group using AWS CLI, the basic syntax is:
aws ec2 create-security-group --group-name <name> --description <description> --vpc-id <vpc-id>: Creates the security group in a specific VPC.aws ec2 authorize-security-group-ingress --group-id <group-id> --protocol <protocol> --port <port> --cidr <cidr-block>: Adds inbound rules to allow traffic.aws ec2 authorize-security-group-egress --group-id <group-id> --protocol <protocol> --port <port> --cidr <cidr-block>: Adds outbound rules to allow traffic.
Each part defines the security group name, description, VPC, and traffic rules.
bash
aws ec2 create-security-group --group-name MySecurityGroup --description "My security group" --vpc-id vpc-123abc aws ec2 authorize-security-group-ingress --group-id sg-123abc --protocol tcp --port 22 --cidr 0.0.0.0/0 aws ec2 authorize-security-group-egress --group-id sg-123abc --protocol -1 --cidr 0.0.0.0/0
Output
An output JSON with SecurityGroupId confirming creation, e.g.:
{
"GroupId": "sg-123abc"
}
Ingress and egress rules added successfully.
Example
This example creates a security group named MyWebSG in a VPC, allowing inbound HTTP (port 80) and SSH (port 22) traffic from anywhere, and allows all outbound traffic.
bash
aws ec2 create-security-group --group-name MyWebSG --description "Security group for web server" --vpc-id vpc-0a1b2c3d4e5f6g7h aws ec2 authorize-security-group-ingress --group-id sg-0a1b2c3d4e5f6g7h --protocol tcp --port 80 --cidr 0.0.0.0/0 aws ec2 authorize-security-group-ingress --group-id sg-0a1b2c3d4e5f6g7h --protocol tcp --port 22 --cidr 0.0.0.0/0 aws ec2 authorize-security-group-egress --group-id sg-0a1b2c3d4e5f6g7h --protocol -1 --cidr 0.0.0.0/0
Output
{
"GroupId": "sg-0a1b2c3d4e5f6g7h"
}
Ingress and egress rules added successfully.
Common Pitfalls
- Not specifying the correct
vpc-idcauses creation failure or places the group in the wrong network. - Forgetting to add inbound rules blocks all incoming traffic by default.
- Using overly open rules like
0.0.0.0/0for SSH can expose your instance to attacks. - Not adding outbound rules can block your instance from accessing the internet or other services.
Always restrict access to only necessary IP ranges and ports.
bash
Wrong (too open): aws ec2 authorize-security-group-ingress --group-id sg-123abc --protocol tcp --port 22 --cidr 0.0.0.0/0 Right (restricted): aws ec2 authorize-security-group-ingress --group-id sg-123abc --protocol tcp --port 22 --cidr 203.0.113.0/24
Quick Reference
Summary tips for creating EC2 security groups:
- Always specify the
vpc-idwhen creating a security group. - Define inbound rules to allow only necessary traffic (e.g., HTTP, SSH).
- Set outbound rules to allow required traffic or keep default (allow all).
- Use CIDR blocks to restrict access to trusted IP ranges.
- Review and update rules regularly for security.
Key Takeaways
Create security groups in the correct VPC by specifying the vpc-id.
Add inbound rules to allow only necessary traffic to your EC2 instance.
Avoid using open CIDR blocks like 0.0.0.0/0 for sensitive ports such as SSH.
Outbound rules control traffic leaving your instance and should be set appropriately.
Security groups act as virtual firewalls and are essential for EC2 instance security.