2

If I block traffic via a security group, I assume I don't have to pay for it.

But if I block traffic via iptables installed on my server then I assume it would be me that pays for any incoming traffic I blocked.

Are there things iptables can do that a security group cannot?

I am asking because I am looking into mitigating DDoS attacks on my web server. Thanks.

darkAsPitch
  • 1,931
  • 4
  • 25
  • 42

2 Answers2

4

One thing is for sure - if you use security groups, the filtered traffic never reaches your server, so it reduces the load the server needs to take to process firewall rules. This is important if you talk about DDoS.

The security groups seems to have just simple filtering rules, while with iptables you can do really fancy things. But do you need them? Personally I would filter as much as possible with security groups and then make next stage on iptables if you need something more sophisticated than security groups allows. Nothing prevents you also from setting the same filters on both - you would be then double protected ;-)

oker
  • 481
  • 2
  • 3
  • In addition, when you have several instances as part of a security group and then you make a change to that group's rules it instantly affects all those instances. With iptables, you would need to manually update the rules on each instance and hope you don't fat-finger something along the way. – daemonofchaos Oct 04 '12 at 19:30
  • I'd not use both. Using two products to accomplish the same thing is always a cluster fuck. It is NOT "layering". iptables (now nftables) is so much more useful and powerful than security groups. And nftables is templatable and easier than SG to automate. You can rate limit or block traffic on any sort of condition you can imagine with nftables; you can also do prioritization. I can't tell you I'd use nftables over security groups but I can tell you I'd want to. – figtrap Jan 30 '20 at 18:59
3

On Amazon EC2, you are not charged for incoming traffic. You are only charged for outgoing traffic. src: http://aws.amazon.com/ec2/pricing/#DataTransfer

One thing to know is that you cannot add or remove a security group to a running instance. You can however change the rules in the security group you used for that instance.

Bertrand88
  • 131
  • 3