Security Group

Question 1

With security groups all traffic is blocked or allowed by default?

Answer 1

Blocked

Each Security Group contains a set of rules that filter traffic coming into (inbound) and out of (outbound) EC2 instances.

Question 2

What is the purpose of a security group?

Answer 2

To act as a virtual firewall at the instance level

Multiple Instances across multiple subnets can belong to a Security Group.

Question 3

How can you use Security groups and subnets?

Answer 3

Multiple Instances across multiple subnets can belong to a Security Group.

Subnet 1 with a EC2
Subnet 2 with a EC2
Subnet 3 with a EC2

All of those EC2’s share the same Security Group

Question 4

Security Groups and subnets Three Use Cases

Answer 4

2 Subnets with 2 Security Groups
One Security Group allows traffic From an IP
(The instance in the other Subnet)

2 Subnets with 2 Security Groups
One Security Group allows traffic From the other Security Group
(The Security Group In the other Subnet)

2 Subnets that have the same Security Group, inside one Subnet, In that Security Group there is another Security Group but in one Subnet that allows everything, but the first Subnet doesn’t Allow Everything

Question 5

With security groups all traffic is allowed or denied by default

Answer 5

denied

Question 6

In ELB,

What is the maximum number of security groups you can have in a region?

Answer 6

10.000

Question 7

In ELB,

What is the maximum number of inbound / outbound rules on each security group?

Answer 7

• 60 Inbound Rules

- 60 Outbound Rules

Question 8

In ELB, You cannot block specific IP addresses with Security Groups, for this you would need a…

Answer 8

Network Access Control List (NACL)

Question 9

How many security groups there can be associated to an ENI?

And the default!

Answer 9

You can have 16 Security Groups associated to an ENI (default is 5)

Question 10

Security Groups are STATEFUL, what does it mean?

Answer 10

if traffic is allowed inbound it is also allowed outbound

Question 11

You can block this with a NACL, but not with a Security Group

Answer 11

A single IP address

You can allow or deny traffic. You could block a single IP address (You can’t do this with Security Groups)

Question 12

How many NACLs can a Subnet be associated with?

Answer 12

1

Subnets are associated with NACLs. Subnets can only belong to a single NACL.

Question 13

In NACLs, Which of the following rule #s would be evaluated first?

99, 11, 10, 1, 75

Answer 13

1

Rule # determines the order of evaluation. From lowest to highest. The highest rule # can be 32766 and its recommended to work in 10 or 100 increments.

Question 14

What is a NACL

Answer 14

It’s an optional layer security that acts as a Firewall for controlling traffic in and out of subnets

NACLs acts as a virtual firewall at the subnet level

Question 15

If you want to prevent SSH access into your instances and you don’t have any configuration in your Security Group, where can you Deny SSH (PORT 22)?

Answer 15

NACLs

Security Groups cannot deny

Question 16

What is a Security group?

Answer 16

• It acts as a firewall at the instance level