AWS VPC Security Groups Rules

AWS security groups are collections of rules that govern inbound and outbound network traffic to all AWS EC2 instances, and other entities, associated with the security group. Similar to the Amazon Web Services (AWS) console, Security Cloud Control displays each rule individually.

If your SDC has Internet access, you can create and manage AWS Virtual Private Cloud (VPC) rules for these environments:

  • A security group allowing information to or from another security group within the same AWS VPC.

  • A security group allowing to or from an IPv4 or IPv6 address.

When creating a rule in Security Cloud Control that contains an AWS security group, keep these limitations in mind:

  • For a rule allowing inbound traffic, the source can be one or more security group objects in the same AWS VPC, an IPv4 or IPv6 CIDR block, or a single IPv4 or IPv6 address. Inbound rules can have only one security group object as the destination.

  • For a rule allowing outbound traffic, the destination can be one or more security group objects in the same AWS VPC, a prefix list ID, an IPv4 or IPv6 CIDR block, a single IPv4 or IPv6 address. Outbound rules can have only one security group object as the source.

  • Security Cloud Control translates rules that contain multiple entities, such as more than one port or subnet, into separate rules before deploying them to an AWS VPC.

  • When you add or remove rules, the changes are automatically applied to all AWS entities associated with the security group.

  • An AWS security group is limited to hosting a maximum of 60 inbound rules and 60 outbound rules. This limit is enforced separately for IPv4 rules and IPv6 rules; any additional rules created in Security Cloud Control are inclusive to the total number of rules. You cannot exceed the 60-rule limit by onboarding to Security Cloud Control.

Warning

If you edit an existing rule, the system deletes the edited rule and creates a new rule with the updated details. As a result, traffic that depends on the rule may be dropped briefly during the update process. This does not occur if you create a brand new rule.

For more information about the types of rules you can create from the AWS console, refer to AWS Security Group Object. For more information about objects that can be associated with AWS VPCs, refer to AWS Security Groups and Cloud Security Group Objects.