Create Security Group

VPC Security Group

A Security Group is a set of rules that control inbound and outbound network traffic for instances in an Amazon VPC. It acts as a virtual firewall, managing and protecting resources.

Key Features of Security Group

  • Allow Rules Only: Does not support deny rules.
  • Traffic Segmentation: Separate rules for inbound and outbound traffic.
  • No Default Inbound Rules: Must add inbound rules to allow access.
  • Default Outbound Rule: Allows all outbound traffic, which can be modified.
  • Stateful: If inbound traffic is allowed, outbound responses are automatically permitted.
  • Instance Connectivity: Only connects if allowed by rules.
  • Linked to Network Interface: Can change the security group after creation.

Create VPC Security Groups

Next, we will create two Security Groups (SGs) representing public subnets (EC2) and private subnets (DocumentDB).

2.1. Create Public Security Group (SG Public - EC2)

  • Go to Security groups and select Create security group security-groups
  • In the Create Security Group interface, provide the following details for public-sg-ec2:
  • Security group name: public-sg-ec2
  • Description: Public Security Group for EC2
  • VPC: Select your existing VPC basic-details
  • Add the following Inbound Rules for public-sg-ec2
    ProtocolPort RangeSourceDescription
    HTTP800.0.0.0/0Allow website access
    HTTPS4430.0.0.0/0Enable SSL/TLS
    SSH220.0.0.0/0SSH access to EC2
    Custom TCP30000.0.0.0/0Run Next.js in dev mode
    Custom TCP27017SG-Private-DocumentDBAllow EC2 to connect to DocumentDB

inbound-rules ❗❗ Add Inbound rule for port 27017 later

  • Allow all Outbound traffic and select Create security group outbound-rules public-sg

2.2. Create Private Security Group (SG Private - DocumentDB)

  • In the Create Security Group interface, provide the following details for private-sg-documentdb:
  • Security group name: private-sg-documentdb
  • Description: Private Security Group for DocumentDB
  • VPC: Select your existing VPC basic-details
  • Add the following Inbound Rules for private-sg-documentdb
ProtocolPort RangeSourceDescription
Custom TCP27017SG-Public-EC2Only EC2 can access DocumentDB

inbound-rules

  • Allow all Outbound traffic and select Create security group outbound-rules public-sg

2.3 Add Inbound Rules for Port 27017 in public-sg-ec2

  • In the Security Groups interface, select public-sg-ec2 public-sg-ec2

  • Then, select Edit inbound rules to add an inbound rule add-inbound

  • Add the inbound rule and select Save rules inbound inbound-rules