Home [AWS Solution Architect Associate] SG (Security Group)
Post
Cancel

[AWS Solution Architect Associate] SG (Security Group)

Yuha on Jan 15, 20222022-01-15T12:26:00+09:00
Updated Jan 15, 20222022-01-15T12:26:00+09:00 2 min read

SG (Security Groups)

Screen Shot 2022-01-15 at 11 42 37 AM

  • they protect our EC2 instances by acting as a virtual firewall controlling the inbound and outbound traffic.

  • you would attach a security groups to an EC2 instance
  • we can set the rules with a particular protocol and a port range, who are allowed to have access.

Screen Shot 2022-01-15 at 11 42 55 AM

  • in this case, I want to be able to SSH into EC2 instance, which uses the TCP protocol. and the standard port for SSH is 22. And I’m going to allow only my IP, so anytime you see forword /32 that always means my IP. that’s all you have to do to add inbound and outbound rules.

  • there are different EC2 instances, they’re all in different subnets.
  • Security groups do not care about subnets, you just assign EC2 instance to a security group.

Use cases

  • 3 scenarios
    • the configuration is different
    • the idea
      • we have a web application running on a EC2 instance
      • it is connecting to an RDS db to get its information running in a private subnet.

Screen Shot 2022-01-15 at 12 12 08 PM

  1. 1st case
    • we have an inbound rule on the sg-db saying allowing for anything from 5432, which is the Postgre’s port number for this specific IP address.
    • it allows us EC2 instance to connect with RDS db.
    • the takeaway
      you can specify the source to be an IP range or a specific IP
  2. 2nd case
    • the only difference with 1st case is, instead of providing an IP address as a source, we can provide another SG.
    • anything within SG is allowed to gain access for inbound traffic on 5432
  3. 3rd case
    • we have inbound traffic on port 80, inbound traffic on port 22 for the sg-public group.
    • we have the EC2 instance and the RDS db within its own security group.
    • the EC2 instance is allowed to talk to that RDS db, and that EC2 instance is not exposing the RDS db. , because it’s in a private subnet, that doesn’t have a public IP address.
    • the takeaway
      this EC2 instance is able to get traffic from the internet and it’s also able to accept someone from like an SSH access.
  • you can nest multiple SG onto one EC2 instance

Limits

Screen Shot 2022-01-15 at 12 13 04 PM

  • if you want to beyond 2500 SG, you need to make a service limit increase request to Eva support.

  • Q. how many SG can you have on an instance?
    A. it’s depending on how many ENIs are actually attached to that SG.
    • if you have 2 ENI that it’s attached to a SG, by default you’ll have 10.
      • if you have the upper limit, you have 32 SG on a single instance.

Summary

Screen Shot 2022-01-15 at 12 23 35 PM

Words

  • the big takeaway here is~ : the key point here is~
  • keep that stuff

  • upper limit : 상한선

The copyright of all material here is on this video https://www.youtube.com/watch?v=Ia-UEYYR44s
This post is just for studying AWS SAA.

Development, AWS
aws certification eng
This post is licensed under CC BY 4.0 by the author.
Recent Update
Contents

[AWS Solution Architect] NACL (Network Access Control List)

[AWS Solution Architect] NAT (Network Address Translation)

Comments powered by Disqus.