Security Groups: The Essential Guide to Cloud Network Security
Rutuja MuleSecurity Groups (SGs) are virtual firewalls that manage incoming and outgoing traffic for cloud instances in platforms like AWS, Azure, and Google Cloud. It's important to understand and set them up correctly to keep cloud-based applications and resources secure.
Security Group Rules
Security Groups set rules to allow or deny network traffic based on:
Inbound Rules: Manage incoming traffic.
- Example: Allow SSH (port 22) access only from a specific IP address.
Outbound Rules: Manage outgoing traffic.
- Example: Allow all outbound traffic to the internet.
Rules specify the Protocol, Port Range, and Source/Destination.nation.
Why Security Groups Matter: A Real-World Example
Imagine a web application running on an AWS EC2 instance with these components:
Web Server – Listens on HTTP (port 80) and HTTPS (port 443).
Database Server – Uses MySQL (port 3306).
SSH Access – Allows remote login through port 22..
How Security Groups Protect Servers
1. Instance-Level Security
Without Security Groups, your database and SSH access would be exposed to the internet.
Security Groups restrict access, allowing only:
HTTP (80) and HTTPS (443) for public web access
Database access only from the web server
SSH access only from a trusted IP
2. Stateful Filtering
Security Groups automatically allow outbound traffic in response to inbound requests.
Example: If a user accesses your website, their request goes through an inbound rule, and the response traffic is allowed without extra configuration.
3. Simplified Network Management
- Instead of configuring firewall rules for every new instance, attach the same Security Group to multiple instances for consistent security policies.
4. Defense Against Unauthorized Access
Hackers might attempt brute-force attacks on SSH (port 22).
Best practice: Restrict SSH access to only your office IP (e.g., 203.0.113.5).
5. Dynamic Scaling
As traffic increases, AWS may add new servers.
These new instances inherit Security Group rules automatically, maintaining security without manual intervention.
Security Group Best Practices
| Component | Allowed Ports | Allowed Source |
| Web Server | 80, 443 | Public (0.0.0.0/0) |
| Database Server | 3306 | Only from Web Server |
| SSH Access | 22 | Only from Office IP |
Common Security Group Configurations
1. Web Server Security Group (For Hosting Websites)
| Rule Type | Protocol | Port | Source/Destination | Purpose |
| Inbound | HTTP (TCP) | 80 | 0.0.0.0/0 (Everyone) | Allow public access |
| Inbound | HTTPS (TCP) | 443 | 0.0.0.0/0 (Everyone) | Secure SSL access |
| Outbound | All | All | 0.0.0.0/0 (Everyone) | Allow web server to access the internet |
2. SSH Security Group (For Admin Access)
| Rule Type | Protocol | Port | Source | Purpose |
| Inbound | SSH (TCP) | 22 | Office IP (203.0.113.5) | Secure access |
| Outbound | All | All | 0.0.0.0/0 (Everyone) | Allow admin to access the internet |
3. Load Balancer Security Group
| Rule Type | Protocol | Port | Source/Destination | Purpose |
| Inbound | HTTP (TCP) | 80 | 0.0.0.0/0 (Everyone) | Public website access |
| Inbound | HTTPS (TCP) | 443 | 0.0.0.0/0 (Everyone) | Secure traffic |
| Outbound | HTTP/HTTPS | 80/443 | Web Server SG | Forward traffic |
Step-by-Step Guide to Creating and Configuring Security Groups
Step 1: Open AWS Console
Step 2: Navigate to EC2 Dashboard
Step 3: Select Security Groups from the left navbar
Step 4: Click "Create Security Group"
Provide a Name and Description.
Select the VPC where it will be applied.
Step 5: Configure Inbound Rules
| Rule | Type | Protocol | Port Range | Source |
| 1 | HTTP | TCP | 80 | 0.0.0.0/0 |
| 2 | HTTPS | TCP | 443 | 0.0.0.0/0 |
| 3 | SSH | TCP | 22 | Your IP (e.g., 203.0.113.5) |
Step 6: Configure Outbound Rules
- Allow all outbound traffic to ensure servers can connect externally.
Step 7: Review and create the Security Group
Step 8: Assign the Security Group to an Instance
- When launching an instance, select your Security Group or apply it later from the EC2 dashboard.
Useful Networking Commands for Troubleshooting
1. Ping Command
- Test connectivity between devices.
ping google.com
ping 8.8.8.8 (Google DNS)
ping 192.168.1.1 (Local network check)
2. Traceroute (Linux) / Tracert (Windows)
- Track the path packets take to a destination.
traceroute google.com # Linux
tracert google.com # Windows
3. Netstat (View active connections and listening ports)
netstat -a # Show all connections
netstat -an # Show numeric IP addresses and ports
netstat -r # Display routing table
4. Curl Commands
- Fetch website content:
curl google.com
- Download a file:
curl -o file.html google.com
- Send a POST request:
curl -X POST -d "param=value" http://example.com/api
5. Dig/Nslookup (DNS Troubleshooting)
dig example.com # Fetch domain information
nslookup example.com # Resolve domain name
nslookup 8.8.8.8 # Reverse lookup (Find domain from IP)
Conclusion
Security Groups are a critical aspect of cloud security. By correctly configuring rules, you ensure: ✅ Only necessary ports are open ✅ Traffic is securely managed ✅ Unauthorized access is blocked
Follow best practices and use network commands to troubleshoot and secure your cloud environment effectively. 🚀
Subscribe to my newsletter
Read articles from Rutuja Mule directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by