What you need to know about VPC Security Groups
In a column I wrote recently, I explained how to create a virtual private cloud (VPC), in Amazon Web Services. Although I briefly mentioned VPC security groups in that article, I didn’t get to really explore the topic.
This column will explain what a VPC Security Group is, how it works, and some of your key considerations when creating or working with them.
A VPC security group is essentially a software firewall. This column would be very short if it were that easy. There are important things you should know about VPC security group.
Figure 1 shows an example security group. Figure 1 shows an example of a security group. Each security group has a combination of inbound and outbound rules.
[Click on the image to see a larger view.] Figure 1: VPC security group is made up of both inbound and outbound rules. These rules are not only applicable to the VPC but also to individual virtual network adapters. It is like setting firewall settings for individual instances (or virtual NICs within an example).
Another important thing to know about VPC security group is that multiple security groups can be applied to a single network interface. This allows the rules of the different security groups to be combined and applied to the adapter.
Security group rules are intended to allow a specific type of traffic. Traffic is not allowed unless there is a permit. This exception is that response traffic can be allowed. For example, if an instance sends a request, the response will be allowed to enter the instance.
Another thing to remember is that instances within a VPC cannot communicate with each other unless you allow them to. Although the default security group allows communication between instances, you can choose to disable it and create rules to allow any desired communications between them.
While you are free to use the default security system, administrators often choose to create custom VPC security groups in order to augment or replace the default group. It is important to know the limits before you create security groups.
Security groups can be applied to an instance’s network interface. AWS defaults to allowing you to apply up to five security group to a virtual network interface. However, it is possible to use more in extreme circumstances (the upper limit is 16). Contact AWS support to do so.
Another limitation that you need to be aware is the maximum number of rules that you can have per security groups. Each security group can have 50 inbound IPv4 Rules, 50 inbound IPv6 Rules, 50 outbound IPv4 Rules, 50 outbound IPv6 Rules, 50 outbound IPv4 Rules, and 50 outbound IPv6 Rule. There are ways to get around the default limits. However, AWS support is required for this. For example, if you decide not to create IPv6 rules, this does not mean that you cannot create additional IPv4 Rules.
AWS has some default limits that limit the number security groups you can assign to a network interface and the number rules that can be contained within a security group. You can also ask AWS support to increase your limits. There is one limitation that you won’t be able to circumvent: The maximum number of rules that can be applied to a network interface is 250 (AWS Support).