Understanding Amazon EC2 Security Groups and Firewalls

When launching an Amazon EC2 instance you need to specify its security group.  The security group acts as a firewall allowing you to choose which protocols and ports are open to computers over the internet.  You can choose to use the default security group and then customize it, or you can create your own security group.  Configuring a security group can be done with code or using the Amazon EC2 management console.

If you choose to use the default security group, it will initially be configured as shown below:

Amazon EC2 Security groups defaults

The protocols to configure are TCP, UDP and ICMP.  (ICMP is used for ping.)  There is also a range of ports for each protocol.  (ICMP uses no port, that is why the range is -1 to -1.)  Lastly, the source allows you to open the protocols and ports to either a range of IP addresses or to members of some security group.

The default security group above may be a little confusing.  It appears that everything is wide open.  In fact everything is closed.  The default group, by default, opens all ports and protocols only to computers that are members of the default group (if that makes any sense).  Anyway, no computer across the Internet can access your EC2 instance at that point.

Most likely, you’ll need to open some protocols and ports to the outside world.  There are a number of common services preconfigured in the Connection Method dropdown as shown below.

Amazon EC2 Security groups Connection Method

As an example, if you are configuring an EC2 instance to be a Web server, you’ll need to allow the HTTP and HTTPS protocols.  When you select them from the list, and the security group would be altered as shown below.

configuring an Amzaon EC2 instance

The most important thing to note is the Source IP.  When you specify “” that really means your allowing every IP address access the specified protocol and port range.  So in the example,  TCP ports 80 and 443 are open to every computer on the Internet.

You might also want to allow services to manage the server, upload files and so on.  For example, if I was configuring a Windows server I’d want to use Remote Desktop which would require me to enable RDP which uses TCP port 3389.  However, I’d only want my IP address to have access to that protocol.  It would be crazy to allow every computer in the world access to services like RDP, FTP, database services etc. See the screenshot below.

Enabling RDP in an Amazon EC2 Security group

Now RDP is enabled on TCP port 3389, but only for the IP address  Note that after the IP address, you don’t specify “/0”.  If you do, every computer in the world would have access to that port.  To restrict access to a single address specify “/32” after the IP.  (If you want to know why, read the following article: http://en.wikipedia.org/wiki/CIDR.)

You may also need to know what your public IP address is.  Search Bing for “My IP address”, and a number of Web sites will come up that will tell you.

For an easy tool to test whether a port is open, try paping from Google.

To learn more about EC2 and cloud computing, enroll in a Cloud Computing course. More courses are being added all the time, so check back often.

If you’re interested in .NET programming, visit the .NET category of this blog.

Doug Rehnstrom

As cloud computing continues to make information technology headlines, vendors are aggressively promoting the many benefits it can provide organizations.  Learning Tree’s White Paper, Cloud Computing Promises: Fact of Fiction, addresses the claims and questions that are often raised in relation to cloud computing and provides a clear view of what the cloud can—and can’t—deliver in reality.

PS – Have a look at our brand new, 1-day online course – AWS New Features.

Type to search blog.learningtree.com

Do you mean "" ?

Sorry, no results were found for your query.

Please check your spelling and try your search again.