Security group rules for different use cases
You can create a security group and add rules that reflect the role of the instance that's associated with the security group. For example, an instance that's configured as a web server needs security group rules that allow inbound HTTP and HTTPS access. Likewise, a database instance needs rules that allow access for the type of database, such as access over port 3306 for MySQL.
The following are examples of the kinds of rules that you can add to security groups for specific kinds of access.
Examples
For instructions, see Create a security group and Configure security group rules.
Web server rules
The following inbound rules allow HTTP and HTTPS access from any IP address. If your VPC is enabled for IPv6, you can add rules to control inbound HTTP and HTTPS traffic from IPv6 addresses.
| Protocol type | Protocol number | Port | Source IP | Notes |
|---|---|---|---|---|
| TCP | 6 | 80 (HTTP) | 0.0.0.0/0 | Allows inbound HTTP access from any IPv4 address |
| TCP | 6 | 443 (HTTPS) | 0.0.0.0/0 | Allows inbound HTTPS access from any IPv4 address |
| TCP | 6 | 80 (HTTP) | ::/0 | Allows inbound HTTP access from any IPv6 address |
| TCP | 6 | 443 (HTTPS) | ::/0 | Allows inbound HTTPS access from any IPv6 address |
Database server rules
The following inbound rules are examples of rules you might add for database access, depending on what type of database you're running on your instance. For more information about Amazon RDS instances, see the Amazon RDS User Guide.
For the source IP, specify one of the following:
A specific IP address or range of IP addresses (in CIDR block notation) in your local network
A security group ID for a group of instances that access the database
| Protocol type | Protocol number | Port | Notes |
|---|---|---|---|
| TCP | 6 | 1433 (MS SQL) | The default port to access a Microsoft SQL Server database, for example, on an Amazon RDS instance |
| TCP | 6 | 3306 (MYSQL/Aurora) | The default port to access a MySQL or Aurora database, for example, on an Amazon RDS instance |
| TCP | 6 | 5439 (Redshift) | The default port to access an Amazon Redshift cluster database. |
| TCP | 6 | 5432 (PostgreSQL) | The default port to access a PostgreSQL database, for example, on an Amazon RDS instance |
| TCP | 6 | 1521 (Oracle) | The default port to access an Oracle database, for example, on an Amazon RDS instance |
You can optionally restrict outbound traffic from your database servers. For example, you might want to allow access to the internet for software updates, but restrict all other kinds of traffic. You must first remove the default outbound rule that allows all outbound traffic.
| Protocol type | Protocol number | Port | Destination IP | Notes |
|---|---|---|---|---|
| TCP | 6 | 80 (HTTP) | 0.0.0.0/0 | Allows outbound HTTP access to any IPv4 address |
| TCP | 6 | 443 (HTTPS) | 0.0.0.0/0 | Allows outbound HTTPS access to any IPv4 address |
| TCP | 6 | 80 (HTTP) | ::/0 | (IPv6-enabled VPC only) Allows outbound HTTP access to any IPv6 address |
| TCP | 6 | 443 (HTTPS) | ::/0 | (IPv6-enabled VPC only) Allows outbound HTTPS access to any IPv6 address |
Rules to connect to instances from your computer
To connect to your instance, your security group must have inbound rules that allow SSH access (for Linux instances) or RDP access (for Windows instances).
| Protocol type | Protocol number | Port | Source IP |
|---|---|---|---|
| TCP | 6 | 22 (SSH) | The public IPv4 address of your computer, or a range of IP addresses in your local network. If your VPC is enabled for IPv6 and your instance has an IPv6 address, you can enter an IPv6 address or range. |
| TCP | 6 | 3389 (RDP) | The public IPv4 address of your computer, or a range of IP addresses in your local network. If your VPC is enabled for IPv6 and your instance has an IPv6 address, you can enter an IPv6 address or range. |
Rules to connect to instances from an instance with the same security group
To allow instances that are associated with the same security group to communicate with each other, you must explicitly add rules for this.
Note
If you configure routes to forward the traffic between two instances in different subnets through a middlebox appliance, you must ensure that the security groups for both instances allow traffic to flow between the instances. The security group for each instance must reference the private IP address of the other instance, or the CIDR range of the subnet that contains the other instance, as the source. If you reference the security group of the other instance as the source, this does not allow traffic to flow between the instances.
The following table describes the inbound rule for a security group that enables associated instances to communicate with each other. The rule allows all types of traffic.
| Protocol type | Protocol number | Ports | Source IP |
|---|---|---|---|
| -1 (All) | -1 (All) | -1 (All) | The ID of the security group, or the CIDR range of the subnet that contains the other instance (see note). |
Rules for ping/ICMP
The ping command is a type of ICMP traffic. To ping your instance, you must add one of the following inbound ICMP rules.
| Type | Protocol | Source |
|---|---|---|
| Custom ICMP - IPv4 | Echo request | The public IPv4 address of your computer, a specific IPv4 address, or an IPv4 or IPv6 address from anywhere. |
| All ICMP - IPv4 | IPv4 ICMP (1) | The public IPv4 address of your computer, a specific IPv4 address, or an IPv4 or IPv6 address from anywhere. |
To use the ping6 command to ping the IPv6 address for your instance, you must add the following inbound ICMPv6 rule.
| Type | Protocol | Source |
|---|---|---|
| All ICMP - IPv6 | IPv6 ICMP (58) | The IPv6 address of your computer, a specific IPv4 address, or an IPv4 or IPv6 address from anywhere. |
DNS server rules
If you've set up your EC2 instance as a DNS server, you must ensure that TCP and UDP traffic can reach your DNS server over port 53.
For the source IP, specify one of the following:
An IP address or range of IP addresses (in CIDR block notation) in a network
The ID of a security group for the set of instances in your network that require access to the DNS server
| Protocol type | Protocol number | Port |
|---|---|---|
| TCP | 6 | 53 |
| UDP | 17 | 53 |
Amazon EFS rules
If you're using an Amazon EFS file system with your Amazon EC2 instances, the security group that you associate with your Amazon EFS mount targets must allow traffic over the NFS protocol.
| Protocol type | Protocol number | Ports | Source IP | Notes |
|---|---|---|---|---|
| TCP | 6 | 2049 (NFS) | The ID of the security group | Allows inbound NFS access from resources (including the mount target) associated with this security group |
To mount an Amazon EFS file system on your Amazon EC2 instance, you must connect to your instance. Therefore, the security group associated with your instance must have rules that allow inbound SSH from your local computer or local network.
| Protocol type | Protocol number | Ports | Source IP | Notes |
|---|---|---|---|---|
| TCP | 6 | 22 (SSH) | The IP address range of your local computer, or the range of IP addresses (in CIDR block notation) for your network. | Allows inbound SSH access from your local computer. |
Elastic Load Balancing rules
If you register your EC2 instances with a load balancer, the security group associated with your load balancer must allow communication with the instances. For more information, see the following in the Elastic Load Balancing documentation.
