0

I am hoping someone can give me some guidance on fwaasv2 and how it works with security groups when a firewall group is applied to a router port.

My initial expectation was that when applied to a router port, a security group would also need to be applied to an instance to permit the traffic, however, it seems like if there is a match for the traffic in the firewall group applied to the router port, that action is applied no matter the security group configuration of the instance. Basically, it is like the security group functionality is ignored if there is a firewall group rule match.

Do I have something misconfigured or do firewall groups essentially take precedence over security groups when they are in use?

dcapone2004
  • 1
  • Is there also a security group on the instance? If there is no security group on the instance, it will allow all traffic. – BakaKuna Sep 13 '20 at 11:19
  • There was a security group on the instance. The security group was essentially ignored and allow the rules of the firewall group used. Therefore if the firewall group was used to only deny specific ports and allow everything else, everything else was allowed even if the security group only permitted 3 ports. – dcapone2004 Oct 02 '20 at 19:01

0 Answers0