0

Suppose I have two ec2 instances on aws ec2_A and ec2_B. I have two Security groups attached to it to sg_A and sg_B respectively. now suppose I have added an inbund rule on sg_B that sg_A can access tcp protocol on port 3456 on ec2_B. But when the handshake will happen:

ec2_A:5547 -> ec2_B:3456 (this is allowed as I have allowd sg_A on sg_B right?)

in return when ec2_B will send response to ec2_A on port 5547 will it accept the response as I have not open the port 5547 in sg_A for ec2_A? If yes then HOW and "WHY SPECIALLY"?

Nishant Kumar
  • 11
  • 3

1 Answers1

0

Yes it will accept the response. The reason why is because security groups are stateful. The security group knows that this is a response for a request it has made therefore it is allowed regardless of the inbound rules.

More information on how this is achieved can be found in the official docs here: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html#security-group-connection-tracking

The Observer
  • 170
  • 12