Home / How are AWS Security Groups different from firewalls?

How are AWS Security Groups different from firewalls?

Network Security

Security Groups are the premier way to secure your AWS EC2 instances. And although Amazon describes them as virtual firewalls, this is simply an analogy used to help newcomers understand them.

Their purpose and functions are much more advanced, much more complex.

We will be taking a look at how these differ from traditional firewalls below. However, if you want to brush up on what Security Groups are, then be sure to give this article a read that provides basic information on how to secure an Amazon EC2 instance.

Firewalls, you say?

Security Groups may not be firewall per se, but a more accurate description, probably, is that they offer a firewall-like method of authorizing traffic for your EC2 instance. You’ll not get all the functionality you get from a traditional firewall. However, this simplification is also something that makes Security Groups extremely powerful.

Differences between security groups and firewalls

Security Groups are an essential tool to safeguard your instances from the outside world. Just like traditional firewalls, you can use them allow specific traffic to reach your EC2 instance, while preventing all other. But they also have some fundamental differences from firewalls that are listed below.

  • You cannot use Security Groups to explicitly block traffic. Amazon only allows permissive style rules to be added, rules that deny are not supported. Basically, all inbound traffic is denied, unless you explicitly allow it.
  • Rules may not refer to source ports, only destination ports are supported.
  • By default, when you first start using the EC2 service, AWS will automatically create a Security Group for you, and designate it as default. It will contain only a single rule that allows all inbound traffic on port 22.
  • A common practice, when configuring Security Groups, is to filter all traffic using inbound rules only. When created, Security Groups contain a rule that allows all outbound connections, and removing this rule also drops new outbound connections.
  • Security Groups are stateful. What this means is that if you do replace the default outbound rule, only new outbound connections will be filtered. Any outbound traffic being sent in response to an inbound connection will still be allowed.
  • Network ACLs, unlike Security Groups, are not stateful, and do support deny rules. This makes them ideal for use as a complimentary layer of security inside any VPC you create, particularly when you need to control traffic flow between subnets.

Read more EC2 articles here