-1

As we know security groups are statefull in AWS Cloud. while launching ec2 instances when we allow inbound rules for specific port it must allow that specific traffic at outbound instead it will allowing all tarffic why is this so?

launched ec2 instance in inbound I allowed ssh at port 22 and http at port 80 https at port 443 in outbound it automatically allowed all traffic instead of these three protocol

Amit Kulkarni
  • 1
  • Outbound traffic is for your instance to reach internet. If your instance does not anything from outside your can remove outbound rule. Inbound traffic rule still works, and you don’t need to explicitly allow port 22,88,443 return traffic will automatically be allowed by SG behavior. – Mehmet Güngören Dec 31 '22 at 17:49

2 Answers2

0

A security group controls the traffic that is allowed to reach and leave your EC2 instance. Did you use default SG? By default, SG Allows all outbound IPv4 and IPv6 traffic.

So if you need, you could manually deny all outbound traffic and allow only 80 443 and 22 ports.

enter image description here

Myrkytyn
  • 81
  • 8
0

A few points:

  • As you said, security groups are stateful. If a SG rule allows a request to reach an instance, then the response can go out.
  • Outbound rules are for traffic originating from your instance. It controls what IPs the instances within the SG can talk to. They don't apply to responses for incoming requests.
  • The predefined rules in the web console are just there for your convenience, using the commonly used ports for HTTP/HTTPS/SSH and so on. The actual rules that apply are for TCP traffic on these specific ports.
chamal
  • 858
  • 6
  • 13