1

When I set a inbound rule in a security group for an AWS EC2 like this:

enter image description here

So source type says that only traffic from my computer is to be allowed and only port 8080 in EC2 instance is to be made accessible.

What does 'Type' field here means when I set it as 'Custom TCP'? I see other values for this field, like HTTP,HTTPS,NFS,RDS,Postgres,SSH etc which basically define protocol type(if I am not wrong). What does Custom TCP define?

Mandroid
  • 6,200
  • 12
  • 64
  • 134

1 Answers1

2

Custom TCP just means you can manually type in a port number to open in the AWS firewall. Use this when you need to open a port that doesn't correspond to a commonly used service. For example, ssh typically uses TCP port 22, and ssh is a program/protocol most AWS system administrators will use, so there is a dropdown option for ssh as a convenience that automatically enters TCP as the protocol and 22 as the port to open for data to flow to your EC2 instance.

You could alternately select "Custom TCP (port)" and manually enter 22, but then you might give it a name in one security group like "Forward 22 for SSH" and in another security group "open ssh"... Using the dropdown's SSH option provides consistency/readability in your security group rules.

IANA maintains a port number registry for common ports, but this list is much larger than AWS is likely to use for their dropdown menu. The options AWS presents are just enough to provide convenience for the most commonly used protocols when you're setting up forwarding rules.

par
  • 17,361
  • 4
  • 65
  • 80
  • I can understand the gist of your answer. But need a bit more clarity. So suppose I want to expose for ssh but at port different from 22, then I would select 'Custom TCP' and provide port manually? – Mandroid Jan 14 '23 at 10:16
  • Exactly. Or you might run a web server and want it to respond to HTTP on port 7771 (no idea why, but assume you need to do that for some reason), then you'd setup a custom tcp 7771 rule and name it something like "custom web server." – par Jan 14 '23 at 10:19
  • The AWS security group rule won't monitor what type of traffic you run on the port, it just looks at protocol packets and if it matches what you've setup (e.g. TCP or UDP as the protocol and the port number as the inbound destination port) it will forward the packet to your instance. – par Jan 14 '23 at 10:20
  • 1
    Ah ok, got it now. So basically when I select 'Custom TCP', sg wont bother about exact type like ssh,http,https etc..just that it's protocol is TCP. And it means that for that port now I can send http,ssh,https etc etc. – Mandroid Jan 14 '23 at 10:24
  • 2
    Yes, and selecting one of the common ports that they have a menu option for (such as SSH for port 22) doesn't prevent someone from the outside from sending for example HTTP to your port 22. Once you open a port you'll get all traffic to it on the selected protocol (TCP or UDP). It's the responsibility of the program running on your instance that is listening to the open port to reject requests it doesn't understand (e.g. an SSH server would reject HTTP requests). – par Jan 14 '23 at 10:27