The EC2 environment provides a network security mechanism that acts as a firewall for incoming connections. The environment does not allow network traffic to reach an instance unless that traffic has been explicitly permitted.
The network security firewall is managed using security groups, which are named collections of access rules that specify which incoming (ingress) network connections the EC2 environment should allow to pass through to running instances. Security groups only control inbound network traffic; they will not prevent outbound traffic.
Security groups can contain two kinds of rules: IP rules and group rules.
IP access rules, also known as CIDR rules, control traffic originating from outside or inside the EC2 environment. These rules specify the kinds of IP network traffic that will be allowed based on three constraints:
Protocol (TCP, UDP, or ICMP)
Target port range
Originating IP address range
We discussed IP rules and the API operation that applies to them in more detail earlier on, in the section Allow IP Traffic.”
Group access rules control traffic originating from other instances within the EC2 environment. These rules define permissions based on which security groups an instance belongs to, rather than its IP address. Group rules are much less granular than IP rules and will automatically allow incoming network traffic, using any protocol or port number, from an instance belonging to a permitted security group.
Group rules are a convenient ...