AWS Security Group Rules Reference
Introduction
This page contains security group rules reference for specific use cases. It will contain ingress and/or egress rules for each use case.
The example provided below provides security best practices to implement security groups. If you want to relax the rules please make sure you understand and consider the risk.
Some use case needs only ingress or egress rules, where another use case might need both ingress and egress rules to be applied.
Read our AWS Security Group guide to learn more about Security Groups.
AWS Security Group For ElastiCache Memcached
- ElastiCache Memcached security group only needs ingress and doesn’t need any egress.
- ElastiCache Memcached cluster is a dumb cluster, there is no coordination between nodes, so no communication is necessary.
- Nodes updates, time sync to NTP, etc happens out-of-the-band, so no security group egress is needed.
Ingress Rules
| Type | Protocol | Port Range | Source | Description |
|---|
| Custom TCP | TCP | 11211 | | |
Egress Rules
AWS ElastiCache Memcached doesn’t need egress rules for its operation. Make sure all security groups attached to your AWS ElastiCache Memcached have empty egress/outbound rules.
AWS Security Group For ElastiCache Redis
- AWS ElastiCache Redis only need ingress rules to its service port. Redis default port is 6379.
Ingress Rules
| Type | Protocol | Port Range | Source | Description |
|---|
| Custom TCP | TCP | 6379 | | |
Egress Rules
AWS ElastiCache Redis doesn’t need egress rules both for cluster mode enabled and cluster mode disabled.
AWS Security Group For Amazon RDS For Postgresql
- Amazon RDS for PostgreSQL by default only need ingress rules both for master and read replica.
- Communication from master to read-replica happens out-of-band and doesn’t go through security group checking
Ingress Rules
| Type | Protocol | Port Range | Source | Description |
|---|
| Custom TCP | TCP | 5432 | | |
Egress Rules
- AWS RDS For PostgreSQL doesn’t need egress/outbound by default including for read
- Amazon RDS For PostgreSQL only needs egress/outbound if the RDS cluster needs to connect to another PostgreSQL instance (RDS or non-RDS using PostgreSQL Foreign Data Wrapper (
postgres_fdw) extension. You can use sample egress rules below when using postgres_fdw
| Type | Protocol | Port Range | Destination | Description |
|---|
| Custom TCP | TCP | 5432 | | |
ONLY when using fdw extension
AWS Security Group For Amazon RDS For MySQL / MariaDB
- Amazon RDS For MySQL/MariaDB only need ingress rules to its service port both to master and/or read replica. MySQL/MariaDB default service port is 3306.
- replication between master and read replica doesn’t go through security group.
Ingress Rules
| Type | Protocol | Port Range | Source | Description |
|---|
| Custom TCP | TCP | 3306 | | |
Egress Rules
Amazon RDS for MySQL/MariaDB doesn’t need egress rules for its operations.
AWS Security Group For Amazon RDS For Oracle
Ingress Rules
| Type | Protocol | Port Range | Source | Description |
|---|
| Custom TCP | TCP | 1521 | | |
Egress Rules
- Amazon RDS For Oracle doesn’t need egress rules for its operations.
AWS Security Group For Amazon RDS For SQL Server
- Amazon RDS for SQL Server need inbound rule to its port (default SQL Server port is 1433).
Ingress Rules
| Type | Protocol | Port Range | Source | Description |
|---|
| Custom TCP | TCP | 1433 | | |
Egress Rules
- Amazon RDS for SQL Server doesn’t need outbound rules for its operation, you can leave the egress rules empty.
AWS Security Group For Amazon Elasticsearch Service
- This only apply when you deploy Amazon Elasticsearch Service (Amazon ES) in VPC
- Amazon ES only need inbound rules from the application instance that will use the cluster and/or IP address that needs to access its kibana dashboard
Ingress Rules
| Type | Protocol | Port Range | Source | Description |
|---|
| Custom TCP | TCP | 443 | | |
Egress Rules
AWS Security Group For AWS Elastic Load Balancer
Ingress Rules
| Type | Protocol | Port Range | Source | Description |
|---|
| Custom TCP | TCP | 80 | | |
| Custom TCP | TCP | 443 | | |
Egress Rules
| Type | Protocol | Port Range | Destination | Description |
|---|
| Custom TCP | TCP | | | |
AWS Security Group For AWS Application Load Balancer
Ingress Rules
| Type | Protocol | Port Range | Source | Description |
|---|
| Custom TCP | TCP | 80 | | |
| Custom TCP | TCP | 443 | | |
Egress Rules
| Type | Protocol | Port Range | Destination | Description |
|---|
| Custom TCP | TCP | | | |
AWS Security Group For Network Load Balancer
At the time of this writing (September 2020), AWS Network Load Balancer (NLB) doesn’t support security group attachment.
AWS Security Group For DMS Replication Instance
Ingress Rules
Egress Rules
AWS Security Group For AWS Lambda
- This sample only apply if you’re deploying AWS Lambda in a VPC
Ingress Rules
- To be completely honest I haven’t found a use case for ingress rules for AWS Lambda
Egress Rules
- Egress rule(s) for lambda will depend on the resource inside VPC that a lambda function needs to access.
AWS Security Group For Bastion Host
Ingress Rules
Egress Rules
- To access the bastion host itself no egress rules needs to be added
- If you want to access EC2 instance / RDS database from bastion host, you need to allow bastion host security groups in the security groups attached to EC2 instance / RDS cluster.
AWS Security Group For MongoDB Cluster
- The rules below only for MongoDB replication group to be accessible by application cluster and for replication process between replica member to succeed.
Ingress Rules
Egress Rules
AWS Security Group For Squid Proxy in EC2
- The example rules below assume you’re directly accessing squid proxy from and instance inside VPC
Ingress Rules
Egress Rules
AWS Security Group For Windows RDP
Ingress Rules
Egress Rules
AWS Security Group For SSH
Ingress Rules
Egress Rules