π‘οΈ AWS Security Groups: The Virtual Firewall Every Server Needs
Hey Cloud Architects and DevOps Rookies! π
Welcome to Day 2 of the #100DaysOfCloud Challenge: Create Security Group! Weβre continuing our journey of breaking down massive cloud migration tasks into digestible steps from the awesome folks at KodeKloud Engineer.
If our last task was about the key to the server (the Key Pair), today's task is about the security guard standing in front of it: the AWS Security Group (SG)!
A Security Group acts as a virtual firewall for your EC2 instances to control incoming (inbound) and outgoing (outbound) traffic. No rules, no traffic! It's an absolutely non-negotiable part of cloud networking.
1. Introduction: Why Security Groups Are Your Best Friend π‘
Think of an AWS Security Group as an access control list that you can assign to one or more virtual servers (EC2 instances).
- Stateful Filtering: If you allow traffic in (inbound), the Security Group automatically allows the response traffic out (outbound) without a specific rule. This is called "stateful" operation.
- Security First: By default, a Security Group denies all inbound traffic. You must explicitly create rules for any traffic you want to allow. This is known as the "principle of least privilege."
-
Today's Mission: We need a Security Group named
nautilus-sgto allow two critical types of access from anywhere on the internet (0.0.0.0/0):- HTTP (Port 80): So the public can access our web application.
- SSH (Port 22): So developers and administrators can securely manage the servers.
Let's dive into the AWS Console and set up our fortress! π°
2. Step-by-Step Guide: Creating the Nautilus Security Group
We will use the AWS Management Console to create and configure our firewall rules.
Step 2.1: Navigate to the VPC Dashboard
Security Groups live within the VPC (Virtual Private Cloud) service.
Log in to the AWS Console.
In the AWS console search bar, type
VPCand click on the first result to open the VPC Dashboard.In the left-hand navigation menu, scroll down and click on "Security Groups".
Step 2.2: Create the Security Group
Click the orange "Create security group" button.
-
Fill out the Basic details section with the required information:
-
Security group name:
nautilus-sg -
Description:
Security group for Nautilus App Servers -
VPC: Select your Default VPC. (This is usually labeled
(default)and has a description likedefault VPC).
-
Security group name:
Step 2.3: Add the Inbound Rules
Now for the critical part: defining what traffic is allowed in.
Rule 1: Allow HTTP Access
In the Inbound rules section, click "Add rule".
-
Configure the first rule for web traffic:
-
Type: Select
HTTP(This automatically sets the port to80). -
Source: Select
Anywhere-IPv4from the dropdown. This automatically fills the CIDR block with0.0.0.0/0.
-
Type: Select
Rule 2: Allow SSH Access
Click "Add rule" again to create a second rule.
-
Configure the rule for administrative access:
-
Type: Select
SSH(This automatically sets the port to22). -
Source: Select
Anywhere-IPv4from the dropdown. This automatically fills the CIDR block with0.0.0.0/0.
-
Type: Select
Step 2.4: Finalize and Create
Review your settings. You should have two inbound rules listed: Port 80 and Port 22, both open to
0.0.0.0/0. (The Outbound rules section defaults to allowing all traffic, which is fine for this task.)Click the "Create security group" button at the bottom right.
You have successfully created and configured the nautilus-sg firewall! This Security Group is now ready to be attached to your application servers. π
3. Key Takeaways π
- Default Deny: If you don't explicitly allow traffic in an Inbound rule, it is automatically blocked.
-
CIDR Block Magic:
0.0.0.0/0means "the entire internet." Use this sparingly in real-world scenarios! - Security Group vs. NACL: Security Groups are instance-level (apply to a server) and stateful. NACLs (Network Access Control Lists) are subnet-level and stateless.
4. Common Mistakes to Avoid π«
- Forgetting SSH (Port 22): The most common mistake! If you don't allow SSH traffic, you won't be able to log in and manage your server after launching it.
- Using
0.0.0.0/0for SSH: While required for this task, in a professional environment, you should restrict SSH access to only your company's public IP address (or range) for maximum security. Never open SSH to the world unless absolutely necessary. - Attaching to the Wrong Instance: Always double-check that you assign the correct Security Group to the correct EC2 instance during launch or modification.
5. Conclusion + Call to Action! π
You are now officially a gatekeeper of your cloud infrastructure! Mastering Security Groups is a massive leap forward in building robust, secure, and accessible cloud environments. Keep crushing the 100 Days of Cloud Challenge!
If you found this guide helpful, please:
π¬ Letβs connect on LinkedIn: Cloud, DevOps, consistency, and learning in publicβletβs build together!
π Hritik Rajβ Support my journey on GitHub: Follow my #100DaysOfCloud challenge with real AWS tasks and hands-on learning
π GitHub β 100 Days of Cloud
Next up, we might even launch a server using the Key Pair and Security Group we just created! Happy fire-walling! π»
Top comments (0)