This page contains security group rules reference for specific use cases. It will contain ingress and/or egress rules for each use case.
The example provided below provides security best practices to implement security groups. If you want to relax the rules please make sure you understand and consider the risk.
Some use case needs only ingress or egress rules, where another use case might need both ingress and egress rules to be applied.
ElastiCache Memcached security group only needs ingress and doesn’t need any egress.
ElastiCache Memcached cluster is a dumb cluster, there is no coordination between nodes, so no communication is necessary.
Nodes updates, time sync to NTP, etc happens out-of-the-band, so no security group egress is needed.
Ingress Rules
Type
Protocol
Port Range
Source
Description
Custom TCP
TCP
11211
Egress Rules
AWS ElastiCache Memcached doesn’t need egress rules for its operation. Make sure all security groups attached to your AWS ElastiCache Memcached have empty egress/outbound rules.
AWS Security Group For ElastiCache Redis
AWS ElastiCache Redis only need ingress rules to its service port. Redis default port is 6379.
Ingress Rules
Type
Protocol
Port Range
Source
Description
Custom TCP
TCP
6379
Egress Rules
AWS ElastiCache Redis doesn’t need egress rules both for cluster mode enabled and cluster mode disabled.
AWS Security Group For Amazon RDS For Postgresql
Amazon RDS for PostgreSQL by default only need ingress rules both for master and read replica.
Communication from master to read-replica happens out-of-band and doesn’t go through security group checking
Ingress Rules
Type
Protocol
Port Range
Source
Description
Custom TCP
TCP
5432
Egress Rules
AWS RDS For PostgreSQL doesn’t need egress/outbound by default including for read
Amazon RDS For PostgreSQL only needs egress/outbound if the RDS cluster needs to connect to another PostgreSQL instance (RDS or non-RDS using PostgreSQL Foreign Data Wrapper (postgres_fdw) extension. You can use sample egress rules below when using postgres_fdw. (ONLY when using fdw extension)
Type
Protocol
Port Range
Destination
Description
Custom TCP
TCP
5432
AWS Security Group For Amazon RDS For MySQL / MariaDB
Amazon RDS For MySQL/MariaDB only need ingress rules to its service port both to master and/or read replica. MySQL/MariaDB default service port is 3306.
replication between master and read replica doesn’t go through security group.
Ingress Rules
Type
Protocol
Port Range
Source
Description
Custom TCP
TCP
3306
Egress Rules
Amazon RDS for MySQL/MariaDB doesn’t need egress rules for its operations.
AWS Security Group For Amazon RDS For Oracle
Ingress Rules
Type
Protocol
Port Range
Source
Description
Custom TCP
TCP
1521
Egress Rules
Amazon RDS For Oracle doesn’t need egress rules for its operations.
AWS Security Group For Amazon RDS For SQL Server
Amazon RDS for SQL Server need inbound rule to its port (default SQL Server port is 1433).
Ingress Rules
Type
Protocol
Port Range
Source
Description
Custom TCP
TCP
1433
Egress Rules
Amazon RDS for SQL Server doesn’t need outbound rules for its operation, you can leave the egress rules empty.
AWS Security Group For Amazon Elasticsearch Service
This only apply when you deploy Amazon Elasticsearch Service (Amazon ES) in VPC
Amazon ES only need inbound rules from the application instance that will use the cluster and/or IP address that needs to access its kibana dashboard
Ingress Rules
Type
Protocol
Port Range
Source
Description
Custom TCP
TCP
443
Egress Rules
AWS Security Group For AWS Elastic Load Balancer
xxx.
Ingress Rules
Type
Protocol
Port Range
Source
Description
Custom TCP
TCP
80
Custom TCP
TCP
443
Egress Rules
Type
Protocol
Port Range
Destination
Description
Custom TCP
TCP
AWS Security Group For AWS Application Load Balancer
xxx.
Ingress Rules
Type
Protocol
Port Range
Source
Description
Custom TCP
TCP
80
Custom TCP
TCP
443
Egress Rules
Type
Protocol
Port Range
Destination
Description
Custom TCP
TCP
AWS Security Group For Network Load Balancer
At the time of this writing (September 2020), AWS Network Load Balancer (NLB) doesn’t support security group attachment.
AWS Security Group For DMS Replication Instance
xxx.
Ingress Rules
Egress Rules
AWS Security Group For AWS Lambda
This sample only apply if you’re deploying AWS Lambda in a VPC
Ingress Rules
To be completely honest I haven’t found a use case for ingress rules for AWS Lambda
Egress Rules
Egress rule(s) for lambda will depend on the resource inside VPC that a lambda function needs to access.
AWS Security Group For Bastion Host
Ingress Rules
Egress Rules
To access the bastion host itself no egress rules needs to be added
If you want to access EC2 instance / RDS database from bastion host, you need to allow bastion host security groups in the security groups attached to EC2 instance / RDS cluster.
AWS Security Group For MongoDB Cluster
The rules below only for MongoDB replication group to be accessible by application cluster and for replication process between replica member to succeed.
Ingress Rules
Egress Rules
AWS Security Group For Squid Proxy in EC2
The example rules below assume you’re directly accessing squid proxy from and instance inside VPC
Ingress Rules
Egress Rules
AWS Security Group For Windows RDP
Ingress Rules
Egress Rules
AWS Security Group For SSH
Ingress Rules
Egress Rules
Follow me
We publish tutorials, tips and tricks about Linux, open source, cloud computing, and infrastructure