How Do I Configure an AWS EC2 Security Group?

Introduction

When deploying applications on AWS EC2 instances, managing network access is crucial for both security and functionality. AWS EC2 Security Groups serve as virtual firewalls, controlling inbound and outbound traffic to your instances. By configuring security groups, you can define specific rules that allow or deny traffic based on various criteria such as IP address, protocol, and port number. This guide demonstrates how to set up a basic AWS EC2 Security Group using Pulumi to allow HTTP and SSH access while permitting all outbound traffic.

Code Explanation

Here’s an example where we create a security group that allows HTTP and SSH access from the outside world (0.0.0.0/0) and allows all outbound traffic.

import * as pulumi from "@pulumi/pulumi";
import * as aws from "@pulumi/aws";

const webSg = new aws.ec2.SecurityGroup("web_sg", {
    name: "web_sg",
    description: "Security group for web servers",
    vpcId: "vpc-12345678",
    ingress: [
        {
            description: "Allow HTTP traffic",
            fromPort: 80,
            toPort: 80,
            protocol: "tcp",
            cidrBlocks: ["0.0.0.0/0"],
        },
        {
            description: "Allow SSH traffic",
            fromPort: 22,
            toPort: 22,
            protocol: "tcp",
            cidrBlocks: ["0.0.0.0/0"],
        },
    ],
    egress: [{
        description: "Allow all outbound traffic",
        fromPort: 0,
        toPort: 0,
        protocol: "-1",
        cidrBlocks: ["0.0.0.0/0"],
    }],
    tags: {
        Name: "web_sg",
    },
});
export const securityGroupId = webSg.id;

Step-by-Step Explanation

1. Importing Modules: The script begins by importing necessary modules from Pulumi and AWS SDKs, which are used to define and manage AWS resources.

2. Creating a Security Group:

   • The aws.ec2.SecurityGroup constructor is used to create a new security group named web_sg.
   • The security group is associated with a specific VPC, identified by vpcId: "vpc-12345678".

3. Defining Ingress Rules:

   • Two ingress rules are specified to allow incoming traffic:
     • HTTP Traffic: Allows TCP traffic on port 80 from any IP address (0.0.0.0/0).
     • SSH Traffic: Allows TCP traffic on port 22 from any IP address (0.0.0.0/0).

4. Defining Egress Rule:

   • An egress rule is defined to allow all outbound traffic, regardless of protocol or port, to any IP address.

5. Tagging the Security Group:

   • Tags are applied to the security group for easy identification, with the key Name and value web_sg.

6. Exporting Security Group ID:

   • The security group ID is exported for use in other parts of the infrastructure setup or for reference.

Key Points

• Security Groups as Firewalls: They control both inbound and outbound traffic at the instance level.
• Ingress and Egress Rules: Ingress rules specify allowed incoming traffic, while egress rules control outgoing traffic.
• Flexibility and Control: Security groups offer flexibility in specifying traffic rules based on IP addresses, protocols, and ports.

Conclusion

In this setup, the aws_security_group resource is used to create a new security group named “web_sg” inside the specified VPC. We define two ingress rules to allow HTTP (port 80) and SSH (port 22) traffic from any IP address. An egress rule is configured to allow all outbound traffic. Finally, we output the security group ID for reference. This configuration ensures that your EC2 instances are accessible for web and SSH traffic while maintaining open outbound communication.