By using AWS re:Post, you agree to the Terms of Use
/Security group outbound rules for RDS, ElastiCache, EFS/

Security group outbound rules for RDS, ElastiCache, EFS


We are using RDS PostgreSQL, ElastiCache Redis and EFS as managed services. For each service we have currently our security group allow any IPv4 outbound connections. We want to restrict this. Do we need to add any specific protocols/ports/destinations so that AWS can maintain the managed services, i.e. for performing updates?

1 Answers


I don't have the answer for ElastiCache and EFS, however for RDS you don't need to allow any outbound connections by default. All the communication the service itself needs to function is done over a different networking path (a separate internal networking interface not impacted by the security group).


answered 2 months ago
  • Thanks for your answer. Since, you mentioned the separate network interface, I hope it's ok to ask an extended question: Does AWS require any specific network ACL inbound/outbound rules to maintain services such as RDS? We would like to adapt the network ACLs to our particular applications running on AWS infrastructure, too. In case we would create a custom network ACL only allowing HTTPS for a specific source/destination IPv4 address, is it still possible that AWS can maintain the managed services? Can AWS then still install updates for RDS or ElastiCache even if the network ACLs do not allow any inbound/outbound connections for that? If not, which protocol, ports and destinations need to be allowed?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions