DevOpsLesson
DevOpsLesson

Free, comprehensive DevOps tutorials and learning roadmaps. Master Docker, Kubernetes, CI/CD, and more.

Stay Updated

Get notified about new tutorials and features.

Tutorials

  • What is DevOps?
  • Docker Tutorial
  • Terraform Tutorial
  • CI/CD Pipeline
  • All Tutorials

Roadmaps

  • DevOps Engineer
  • Cloud Engineer
  • SRE Path
  • All Roadmaps

Company

  • About Us
  • Blog
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 DevOpsLesson. All rights reserved.

DOCKERKUBERNETESTERRAFORMAWSCI/CDLINUXGITDEVOPS ROADMAPCLOUD ROADMAPSRE ROADMAPGIT CHEATSHEETDOCKER CHEATSHEETK8S CHEATSHEETTF CHEATSHEETLINUX CHEATSHEETDOCKERFILE LINTERYAML VALIDATORCRON PARSERREGEX TESTER

Aws Tutorial

Introduction to AWS
AWS Global Infrastructure
Setting Up AWS
AWS IAM
AWS EC2
AWS VPC
AWS S3
AWS RDS
AWS Lambda
AWS ECS and EKS
AWS CloudWatch
AWS CodePipeline
AWS Cost Optimization
AWS Elastic Load Balancing
AWS Auto Scaling
AWS CloudFront
AWS Route 53
AWS DynamoDB
AWS ElastiCache
AWS SQS
AWS SNS
AWS EventBridge
AWS Step Functions
AWS API Gateway
AWS ECR
AWS EKS
AWS CloudFormation
AWS Elastic Beanstalk
AWS KMS
AWS Secrets Manager
AWS WAF and Shield
AWS CloudTrail
AWS Config
AWS Systems Manager
AWS Organizations
AWS EFS
AWS EBS Deep Dive
AWS Kinesis
AWS Athena
AWS CodeDeploy
AWS CodeCommit
AWS CDK
AWS SAM

AWS EC2 Security Groups

PreviousPrev
Next

Use EC2 security groups as stateful firewalls by defining inbound and outbound rules based on ports, CIDR ranges, and other security groups.

Security groups are AWS’s built-in stateful firewall for EC2 and many other services. They control which traffic is allowed in and out based on protocol, port, and source or destination. Because they are stateful, return traffic for an allowed request is automatically permitted, which makes them simpler to reason about than traditional stateless firewall rules.

Inbound rules define who can reach the resource. Outbound rules define where the resource can initiate connections. Sources can be IP ranges in CIDR notation or other security groups. Referencing another security group is powerful because it lets you describe trust between tiers without hard-coding instance IP addresses.

PatternExample rule
Web serverAllow TCP 80 and 443 from 0.0.0.0/0
SSH admin accessAllow TCP 22 from a trusted office or VPN CIDR
Database tierAllow TCP 5432 from the application security group
Private egressRestrict outbound traffic to known destinations if required

A good pattern is layered access. Public load balancers may accept internet traffic, application servers may accept traffic only from the load balancer’s security group, and databases may accept traffic only from the application group. That design is cleaner and safer than allowing broad CIDR ranges everywhere.

Beginners often open SSH or database ports to the world for convenience. That may work in a lab, but it is a poor habit. Restrict sources as tightly as possible, document why each rule exists, and review stale rules during regular operations. Security groups are easy to change, which is exactly why they should be managed carefully.

Pair this lesson with AWS VPC because security groups work best when subnet and routing design are already clear.

aws ec2 describe-security-groups --output table
aws ec2 authorize-security-group-ingress --group-id sg-1234567890abcdef0 --protocol tcp --port 22 --cidr 203.0.113.0/24
aws ec2 revoke-security-group-ingress --group-id sg-1234567890abcdef0 --protocol tcp --port 22 --cidr 0.0.0.0/0

Operational note

Treat EC2 instances as managed infrastructure, not pets. Capture launch settings in infrastructure as code, keep bootstrap steps repeatable, and monitor CPU, memory, disk, and patch level from the start. That way replacing an instance is a routine operation instead of a risky manual repair exercise. Shared standards like this make future environments easier to launch, review, and support.

Exercise

Stateful behavior

What does it mean that an EC2 security group is stateful?

Exercise

Tiered access

What is a common secure pattern for database security groups?

PreviousPrev
Next

Continue Learning

AWS EC2

Learn how Amazon EC2 provides virtual machines in the cloud and how AMIs, instance types, storage, and pricing models affect deployments.

20 min·Intermediate

AWS EC2 Launch Instance

Launch an EC2 instance step by step by choosing an AMI, instance type, networking, security group, and key pair, then connect over SSH.

12 min·Easy

AWS EC2 Instance Types

Understand EC2 instance family names and choose between general purpose, compute-optimized, memory-optimized, and specialized hardware.

10 min·Easy

Explore Related Topics

Te

Terraform Tutorials

Manage AWS infrastructure as code

Li

Linux Tutorials

Essential Linux skills for working with EC2

On This Page

Operational note