By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

VPC security group versus ALB security group?

1

Hi peeps,

I do have a web app VPC which spans two different AZs and I have two private subnets which are located in these two AZs. The VPC has a default security group. I also have instantiated the ALB which allows ingress HTTP (80) and HTTPS traffic (443) and egress traffic all. Now I am curious, do I need to modify the SG for the VPC too to restrict it to HTTP(S) ports only? Is there a difference? AFAICT the resources are only available via the ALB, so unless I have anything listening internally on SSH port, it should not be necessary to modify the VPC SG, am I correct?

I could however had extra internal VPC which does have the SSH connection to the web app?

Thanks!

Topics
Networking & Content DeliveryAWS Well-Architected Framework
Tags
Elastic Load BalancingSecurityApplication Load BalancerSecurity Group
Language
English
pbocan
asked 7 months ago435 views
1 Answer
2
Accepted Answer

You mention the VPC default SG, but that default SG doesn't apply to the VPC itself as a whole, it applies to the network interfaces of resources in your VPC that you attach it to.

If you have a resource listening on port 22, but you haven't defined an inbound rule in the SG for it, no one will be able to connect to it.

  • Security groups (SG) wrap themselves around elastic network interfaces (ENIs) of whatever resources you're attempting to protect.
  • ALBs deploy these network interfaces in your subnets, you can see them in the console: EC2 > Network & Security > Network Interfaces. Look at the Description column to identify them. You can then click on the Network interface ID, new screen opens and see the specific SG assigned to that interface in the Security groups section.
  • Your backend resources, presumably EC2 instances have network interfaces and they too will have one or more SGs attached to them.

In essence your ALB SG must include inbound rules to permit access to the ALB from clients as well as outbound rules that permit access to your backend resources from the ALB itself. Your resources SG must contain inbound rules that allow the ALB to connect to them.

  • SGs can reference CIDR ranges or other security groups, meaning that if you reference the ALB SG in the resource SG inbound portion, ALB will be allowed to connect to your resources.
  • SGs are stateful meaning that you only have to define the traffic in one direction and return traffic will be automatically permitted.
  • SGs can only contain allow statements, hence all undefined traffic is implicitly denied.

Docs:

AWS
LondonX
answered 7 months ago
profile pictureAWS
EXPERT
iBehr
reviewed 7 months ago
  • pbocan
    7 months ago

    so does the ALB SG override the behaviour of the VPC SG? If I have an EKS/ECS cluster with ALB in front of it, I would assume that ALB SG supersedes the default SG of the VPC, or am I wrong?

  • LondonX
    7 months ago

    • Default security group is just the first one that gets created when you create a VPC. Unless you attach it to something, it won't take effect and do anything.

    • SGs don't supersede each other, when creating resources that require an SG, you'll be explicitly prompted to pick one and that is what will take effect in reference to that specific resource.

    • You could attach more than one SG to the same interface and they will take effect cumulatively. Since you're only defining allowed communications, there'd never be a conflict - you'd just grow the list of allowed communications.

    Let me know if you need additional help, otherwise kindly accept the answer to mark this question as done.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content