Create a custom VPC security group
Welcome to CloudAffaire and this is Debjeet
In the last blog post, we have created a peering connection between two cross region VPC of same AWS account.
In this blog post, we are going to create a custom VPC security group and enable SSH. Below is the configuration diagram for this demo.
A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign up to five security groups to the instance. Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC could be assigned to a different set of security groups. If you don’t specify a particular group at launch time, the instance is automatically assigned to the default security group for the VPC. For each security group, you add rules that control the inbound traffic to instances, and a separate set of rules that control the outbound traffic. This section describes the basic things you need to know about security groups for your VPC and their rules.
In this demo, we are going to create a custom VPC security group and deploy an EC2 instance with this custom security group. To perform this demo you need one VPC with the public subnet.
We have already created the VPC’s and subnets
Next, we are going to create a custom security group for this VPC.
Create a custom security group:
Step 1: Login to AWS console and navigate to ‘VPC’.
Step 2: Navigate to ‘Security Groups’ and click ‘Create security group’.
Observed: One default security group is already created for this VPC. Whenever you create a VPC, one security group is automatically created with it and will be used as a default security group if you don’t explicitly define a custom security group during the instance creation.
Step 3: Provide name, description and select the VPC. Click ‘Create’.
One success message will be displayed, click ‘Close’.
Our new custom security group successfully created.
Note: By default, no inbound rules are added to a new security group.
Note: By default, all outbound connections are enabled.
Next, create an EC2 instance in this VPC and public subnet with the new security group.
Since no inbound rule is enabled, if you try to connect to your EC2 instance through the internet it will fail to connect.
Next, we are going to enable SSH on port 22 in our custom security group.
Step 4: Select the security group and click ‘Edit rules’ located under ‘Inbound Rules’.
Step 5: Click ‘Add Rule’. Provide type, protocol, and port and source information for the rule. Click ‘Save’.
Note: We are explicitly providing our host system IP as the source. Hence no other system will be able to connect.
Inbound rule for SSH successfully enabled.
Note: Security group rules are state-full. Meaning if we define any inbound\outbound rule, the response to that traffic will be automatically enabled. Hence we don’t need to enable SSH on the outbound rule.
Next, if you try to connect to the EC2 instance, it will successfully connect.
Observe: Though we are able to connect to the EC2 instance from our host system. But still, it is not pinging. In order to enable ping, we need to add another rule in our security group for PING.
Step 6: Add another inbound rule for PING.
If we try to ping the EC2 instance now, it will respond to ping.
Hope you have enjoyed this article. In the next blog post, we are going to discuss network ACL in VPC.
To get more details on VPC, please refer below AWS documentation