Security groups

Security groups work a bit like firewalls. All EC2 instances have a set of security groups assigned to them, and each security group contains rules to allow traffic to flow inbound (ingress) and/or outbound (egress).

For this exercise, we will create a small web application running on port tcp/3000. In addition, we want to be able to SSH into the instance, so we also need to allow inbound traffic to port tcp/22. We will create a simple security group to allow this, by performing the following steps:

1. First, we need to find out our default virtual private cloud (VPC) ID. Despite being in a cloud environment, where the physical resources are shared by all AWS customers, there is still a strong emphasis on security. AWS segmented their virtual infrastructure using the concept of VPC. You can imagine this as being a virtual datacenter with its own network. The security groups that protect our EC2 instances are tied with subnets that in turn are tied to the network that the VPC provides:

To identify our VPC ID, we can run the following command:

    $ aws ec2 describe-vpcs

    {
        "Vpcs": [
            {
                "VpcId": "vpc-4cddce2a",
                "InstanceTenancy": "default",
                "CidrBlockAssociationSet": [
                    {
                        "AssociationId": "vpc-cidr-assoc-3c313154",
                        "CidrBlock": "172.31.0.0/16",
                        "CidrBlockState": {
                            "State": "associated"
                        }
                    }
                ],
                "State": "available",
                "DhcpOptionsId": "dopt-c0be5fa6",
                "CidrBlock": "172.31.0.0/16",
                "IsDefault": true
            }
        ]
    } 

2. Now that we know the VPC ID (yours will be different), we can create our new security group, as follows:

    $ aws ec2 create-security-group \
        --group-name HelloWorld \
        --description "Hello World Demo" \
        --vpc-id vpc-4cddce2a

    {
        "GroupId": "sg-01864b4c"
    }

3. By default, security groups allow all outbound traffic from the instance. We just need to open up SSH (tcp/22) and tcp/3000 for inbound traffic. We then need to input the following:

    $ aws ec2 authorize-security-group-ingress \
        --group-name HelloWorld \
        --protocol tcp \
        --port 22 \
        --cidr 0.0.0.0/0
    
    $ aws ec2 authorize-security-group-ingress \
        --group-name HelloWorld \
        --protocol tcp \
        --port 3000 \
        --cidr 0.0.0.0/0  

4. We can now verify the change made using the following code, as the previous commands aren't verbose:

    $ aws ec2 describe-security-groups \
        --group-names HelloWorld \
        --output text

    SECURITYGROUPS  Hello World Demo    sg-01864b4c     HelloWorld      
    094507990803    vpc-4cddce2a
    IPPERMISSIONS   22      tcp     22
    IPRANGES        0.0.0.0/0
    IPPERMISSIONS   3000    tcp     3000
    IPRANGES        0.0.0.0/0
    IPPERMISSIONSEGRESS     -1
    IPRANGES        0.0.0.0/0  

As expected, we opened up the traffic to the proper ports. If you know how to find your public IP, you can improve the SSH rule by replacing 0.0.0.0/0 with your IP/32 so that only you can try to SSH into that EC2 instance.