How do I configure and manage Amazon VPC security groups and network ACLs?

4 minute read

I want to configure and manage Amazon Virtual Private Cloud (Amazon VPC) security groups and network access control lists (network ACLs). I want to share VPCs with other AWS accounts, or manage multiple VPCs.

Resolution

Note: It's a best practice to use security groups for fine-grained access control and network ACLs for broader access.

Configure an Amazon VPC security group

When you configure security group rules, allow only the traffic that's required for your applications and services to function.

If required, you can use multiple security groups to separately manage different types of access rules. For example, attach multiple security groups to a single elastic network interface for web traffic access, database access, and to monitor tools.

Make sure that you configure rules based on your AWS service requirements. For example, for Amazon Elastic Compute Cloud (Amazon EC2) instances, allow SSH (port 22) for Linux or the default TCP (port 3389) for Windows instances. For Amazon Relational Database Service (Amazon RDS) instances, allow database-specific ports.

Example inbound rules to connect to instances from your computer:

Protocol type	Protocol number	Port	Source IP address
TCP	6	22 (SSH)	Your computer address
TCP	6	3389 (TCP)	Your computer address

Example inbound rules to connect to instances from your for database server:

Protocol type	Protocol number	Port	Source IP address
TCP	6	1433 (MS SQL)	Your computer address
TCP	6	3306 (MYSQL/Amazon Aurora)	Your computer address

When you create your rules, you can also reference other security groups instead of individual private IP addresses or CIDR ranges.

Associate security groups with multiple VPCs

By default, you can associate security groups only with resources in the VPC where you created the security group. To use the same security group across multiple VPCs within the same AWS Region in an account, associate security groups with other VPCs.

Consolidate and manage network CIDR blocks with managed prefix lists

When you reference a prefix list, the quota for the number of entries for the resource includes the maximum number of entries for the prefix list. For example, if you reference a prefix list with 20 maximum entries in a security group rule, then the entries count as 20 security group rules.

To consolidate multiple security group rules that have the same port and protocol but different CIDR blocks into a single rule, use a customer-managed prefix list. When you update a customer-managed prefix list, security group rules that reference the list automatically inherit the changes.

Create a customer-managed prefix list, and then view the entries for the list.

Share security groups with Organizations

You can share VPCs across multiple accounts within your AWS Organizations organization. To share security groups with other accounts in your organization, use the Shared Security Group feature.

For example, member accounts can use security groups that the owner account created with rules that meet organization-wide security policies in shared VPC subnets.

Note: Member accounts can use shared security groups but can't modify the rules.

Configure network ACLs

When you configure network ACLs, use the following best practices:

Keep gaps between your network ACL rules to accommodate future rules so that you don't need to reorder existing rules.
Use separate network ACLs for different subnets to control inbound and outbound traffic based on the resources in each subnet.
Use ephemeral ports for outbound traffic to allow responses from AWS services.

Tag resources

To help you identify the purpose and associated resources of your security groups and network ACLs, add a tag to them. Tags let you efficiently manage and organize your resources across different teams or projects. You can systematically filter and manage your resources for automation and maintenance.

Related information

Differences between network ACLs and security groups

Security group rules for different use cases

Amazon EC2 security group connection tracking

Simplify Amazon VPC security groups management with VPC associations and security groups sharing

Topics: Networking & Content Delivery
Tags: Amazon VPC
Language: English

AWS OFFICIALUpdated 6 months ago

No comments

Relevant content

Configure Network ACL
Accepted Answer
Mahendra Kumar V
asked 3 years ago
Feature request: Add a description in network ACL
zeus
asked 4 months ago
Snowflake -> Glue Connection + Network Configuration (VPC, subnet, security id, nat gateway) using Key Pair
RCMV1911
asked 6 months ago
Security group inbound rules best practice in VPC
snowcoder_07
asked 3 years ago
Can't access Instance using custom network acl * security group rules
rePost-User-7702878
asked 4 years ago
How do I configure security groups and network ACLs when I create an Amazon VPC interface endpoint for endpoint services?
AWS OFFICIALUpdated 5 months ago
Why can't I connect to a service when the security group and network ACL allow inbound traffic?
AWS OFFICIALUpdated 2 years ago
How do I increase my security group rule quota in my Amazon VPC?
AWS OFFICIALUpdated 9 months ago
How do I troubleshoot connectivity issues between an interface Amazon VPC endpoint and a customer managed endpoint service?
AWS OFFICIALUpdated 7 months ago
How to Check Security Group References Within and Across VPCs
EXPERT
Ashish Jaiswal
published 10 months ago