Copyright (c) 2025 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

3.1.4. Basic Network Security (Security Groups for Apps)

First Principle: Security Groups (SGs) act as stateful virtual firewalls that control inbound and outbound network traffic to your application's compute resources, ensuring basic network isolation and security.

For developers deploying applications on EC2 instances or in a VPC environment, understanding Security Groups is fundamental for basic network security. Security Groups are associated with EC2 instances or Elastic Network Interfaces (ENIs).

Key Characteristics of Security Groups (SGs):
  • Instance-Level: Applies to individual EC2 instances or ENIs.
  • Stateful: If you allow inbound traffic (e.g., HTTP on port 80), return outbound traffic is automatically allowed for the same connection.
  • Allow-Only: You define only allow rules. All other traffic is implicitly denied.
  • Rules: Define inbound and outbound rules based on protocol (TCP, UDP, ICMP), port range, and source/destination IP address or other Security Groups.
  • Least Privilege: Best practice is to open only the ports and protocols absolutely necessary for your application.

Scenario: You're deploying a web application on EC2 instances in a public subnet. You need to ensure that only web traffic (HTTP on port 80 and HTTPS on port 443) from the internet can reach your web servers, and that your web servers can only make outbound connections to your backend application servers.

Reflection Question: How would you configure Security Groups (SGs) for your web servers and application servers to control inbound and outbound network traffic, ensuring basic network isolation and security for your application's compute resources?