Creating Security Groups in AWS

How to create security groups in AWS (using the console or AWS CLI)

In this tutorial, we have described how to create security groups in AWS (used for launching EC2 instances) using either the AWS management console or the AWS Command Line Interface (AWS CLI).

To run a website on an AWS EC2 instance, you need to create a security group which you can do when creating the EC2 instance or create a security group separately and add rules for all instances in the security group. If you have created a security group with inbound and outbound rules that allow ssh access as well as http and https traffic, you can use the security group when creating new EC2 instances as well. So, you will not need a new security group each time you launch an AWS EC2 instance.

These security groups are like firewall that determines the incoming and outgoing network traffic from your Elastic Compute (EC2) instance. It is an essential step when you launch an EC2 instance and every time you launch an EC2 instance, you will need to add a security group.

When you visit your EC2 dashboard, you can see all the security groups you have created listed there. If there are no security groups configured yet, the number of security groups on your EC2 dashboard will show as 0. If you do not add the right rules for incoming traffic, then you will face difficulty connecting to your instance via ssh.

So, to start with the creation of a security group, click on security groups. In the left sidebar, you can find security groups listed under ‘Network and Security’ on your EC2 dashboard. Click on create security group button on the top right.

Name and describe your security group

Give your security group a name like ‘myfirst-sg‘ and add a description like ‘My first security group’. You will see the default VPC selected already in the VPC box. (The system provides you a default VPC.)

Add Inbound Rules to Allow Inbound Traffic

After that, you need to add inbound rules to allow traffic to your EC2 instance and to be able to connect to your instance via ssh. So, you will need to add at least three rules allowing http and https traffic as well as allowing ssh connections from your IP or anywhere. If you face difficulty connecting to your instance via ssh after creating an EC2 instance, it can also mean your inbound rules are not configured properly.

To allow SSH access, select SSH for ‘Type’ from the drop-down menu and the system will automatically add the Protocol (TCP) and the port range (the port for ssh is 22). Select Anywhere ipv4 for source or my Ip. Add two more rules for http and https traffic. Again select Anywhere ipv4 (0.0.0.0/0) for the source when adding rules for http and https traffic. Select http or https for Type and then add the source. The system automatically assigns the protocol and port range which include port 80 for http and port 443 for https. You need to know these ports if you want to create the security group using the AWS Command Line Interface (AWS CLI). The system adds an outbound rule when you create a security group allowing all outgoing traffic over the internet.

Suggested Reading: How to Launch EC2 instances using the AWS Console

Once you are done, hit create security group. Your security group will be ready. Each security group is assigned an id beginning with sg like sg-012b3d4d5fbc6789f. You can see the id on the security groups interface after the security group is created. It will also show the VPC id as well as the number of inbound and outbound rules for each security group. Your security group is now ready to be used with EC2 instances.

You can also create security groups using the AWS Command Line Interface or AWS CLI. However, you need to have AWS CLI installed and configured to do this.

How to create security groups using AWS CLI

Install and Configure AWS CLI

You can use the AWS command line interface to create security groups, add rules to existing security groups and to delete security groups.

However, to run the EC2 commands, you need to install and configure the AWS CLI first. If you have it installed and configured already then you can move on to the next steps. You can download and install the AWS CLI for Windows, Mac or Linux from AWS website. AWS CLI supports 64-bit Windows.

To install it, you can download the MSI installer for Windows 64 bit from:

https://awscli.amazonaws.com/AWSCLIV2.msi

You can also run the MSIexec command to run the MSI installer:

msiexec.exe /i https://awscli.amazonaws.com/AWSCLIV2.msi

If you download the installed, just follow the directions and the CLI will be installed in a few minutes. To confirm installation, you can run the following command from command prompt.

aws –version

Its output will look like the following:

aws-cli/2.10.3 Python/3.9.11 Windows/10 exe/AMD64 prompt/off

Next, comes the configuration part for which you will need the access key and secret key. The fastest way to set up your AWS CLI installation is the aws configure command. Once you run this command:

$ aws configure

The system will prompt you to provide the following values:

AWS Access Key ID [None]:

AWS Secret Access Key [None]:

Default region name [None]: us-east-1

Default output format [None]: json

Following that, the configuration is finished and you can start using the AWS CLI.

Now, you can run the commands from command prompt (cmd) required to create security groups.

Create Security groups using AWS CLI

To begin the security group creation, you must first check out the VPC id since you can create security groups associated with VPCs (Virtual Private Clouds). AWS provides a default VPC in each AWS region. The default VPC in your account includes a public subnet in each Availability Zone, an internet gateway, and settings to enable DNS resolution, so you can directly start launching EC2 instances. The default VPCs are good for getting started quickly or for launching blogs and simple websites. However, if you need, you can edit the VPC.

Suggested Reading: Install SSL on your EC2 Hosted Website in 3 steps

Get the VPC id:

You can check out the VPC id from the AWS management console or using the AWS CLI.

To check out using AWS CLI, run the command:

$ aws ec2 describe-vpcs

{

“Vpcs”: [

{

“CidrBlock”: “xx.xx.xx.xx/xx”,

“DhcpOptionsId”: “dopt-xxxxxxx”,

“State”: “available”,

“VpcId”: “vpc-12e3456c”,

“OwnerId”: “123456789”,

“InstanceTenancy”: “default”,

“CidrBlockAssociationSet”: [

{

“AssociationId”: “vpc-cidr-assoc-eed12345”,

“CidrBlock”: “xxx.xx.x.x/xx”,

“CidrBlockState”: {

“State”: “associated”

}

“IsDefault”: true

}

]

}

Note the VPC id from the output since we will need it for the next commands to create our security group. We are creating a security group named ‘myfirst-sg’. In this command, you will need to provide security group name (whatever you want to name it) and a description as well as the vpc-id.

Run the create-security-group command:

$ aws ec2 create-security-group –group-name myfirst-sg –description “My first security group” –vpc-id vpc-xxxxxxx

In the above command, you can change the group name, description and replace the vpc id with your own vpc id. The output will look like the following showing your security group has been created.

{

“GroupId”: “sg-0ab8cdxxxxxxx”

}

The output above shows the id of the just created security group.

Congratulations, you have created a security group and now is the time to add inbound rules and you are done.

To learn more about your security group use the describe-security-groups command in the following manner.

……………………………………………………………..

$ aws ec2 describe-security-groups –group-ids sg-xxxxxxxxx

Replace the id of your security group in the above command (last part of the command beginning with sg) with the group id generated in the previous step. The output will be something like the following:

{

“SecurityGroups”: [

{

“Description”: “My first security group”,

“GroupName”: “myfirst-sg”,

“IpPermissions”: [],

“OwnerId”: “1234567890654”,

“GroupId”: “sg-xxxxxxxxxx”,

“IpPermissionsEgress”: [

{

“IpProtocol”: “-1”,

“IpRanges”: [

{

“CidrIp”: “0.0.0.0/0”

}

“Ipv6Ranges”: [],

“PrefixListIds”: [],

“UserIdGroupPairs”: []

}

“VpcId”: “vpc-xxxxxxxx”

}

]

}

…………………………..

Add Rules to your Security Group

Now that we have created the security group, it is time to add the inbound rules like we did when creating the security group through the AWS console. To allow ssh traffic, you will need to add the security group id and port 22 in the command in the following manner. Port 22 is associated with SSH traffic. If you want to allow SSH traffic only from your IP, you can replace the last part of the command with your IP. Whenever, you need to add a rule, you will need the security group id and the port number. Here is the command for creating rules:

$ aws ec2 authorize-security-group-ingress –group-id sg-xxxxxxxx –protocol tcp –port 22 –cidr 0.0.0.0/0

The above command adds the first rule to your security group and its output will look like the following.

{

“Return”: true,

“SecurityGroupRules”: [

{

“SecurityGroupRuleId”: “sgr-xxxxxxxxxxxx”,

“GroupId”: “sg-xxxxxxxxxxx”,

“GroupOwnerId”: “12345678901”,

“IsEgress”: false,

“IpProtocol”: “tcp”,

“FromPort”: 22,

“ToPort”: 22,

“CidrIpv4”: “0.0.0.0/0”

}

]

}

(In the same way, you can add rules to allow http and https traffic from ports 80 and 443. The protocol will remain TCP for both.)

If you want to check out the changes to your security group, you can again use the describe-security-groups command like we did last time. I will list the command here again for your convenience.

$ aws ec2 describe-security-groups –group-ids sg-xxxxxxxxx

You only need to change the security group id beginning sg in the above command to get a description of your security group and to check out recent changes.

In the next step, you can add the rules for allowing http and https traffic from the internet using the same command as we did for ssh traffic. You will only need to replace the port in each step with the right port (80 for http and 443 for https). Your security group is ready and if you want, you can also verify it by going to the AWS management console and checking under the security groups.

At the end, if you want to delete a security group, you can run the following command and delete the security group by providing either the name or id of the group:

aws ec2 delete-security-group –group-name=myfirst-sg

aws ec2 delete-security-group –group-id=sg-xxxxxxx

If you want, you can check out how I added rules for http and https (port 80 and 443) using the same command. I have included the output for each one. Do not forget to review the changes after applying rules using the describe-security-groups command.

……………………………………………….

Changes after adding the first rule (ssh traffic):-

$ aws ec2 describe-security-groups –group-ids sg-xxxxxxxxxx

{

“SecurityGroups”: [

{

“Description”: “My first security group”,

“GroupName”: “myfirst-sg”,

“IpPermissions”: [

{

“FromPort”: 22,

“IpProtocol”: “tcp”,

“IpRanges”: [

{

“CidrIp”: “0.0.0.0/0”

}

“Ipv6Ranges”: [],

“PrefixListIds”: [],

“ToPort”: 22,

“UserIdGroupPairs”: []

}

“OwnerId”: “xxxxxxxxxxxx”,

“GroupId”: “sg-xxxxxxxxxxx”,

“IpPermissionsEgress”: [

{

“IpProtocol”: “-1”,

“IpRanges”: [

{

“CidrIp”: “0.0.0.0/0”

}

“Ipv6Ranges”: [],

“PrefixListIds”: [],

“UserIdGroupPairs”: []

}

“VpcId”: “vpc-xxxxxxxx”

}

]

}

…………………………….

Adding http inbound rule to security group:

Added rule for http traffic on port 80 by running the following command: –

$ aws ec2 authorize-security-group-ingress –group-id sg-xxxxxxxxx –protocol tcp –port 80 –cidr 0.0.0.0/0

The output looks like the following: –

{

“Return”: true,

“SecurityGroupRules”: [

{

“SecurityGroupRuleId”: “sgr-xxxxxxxxxx”,

“GroupId”: “sg-xxxxxxxxxxx”,

“GroupOwnerId”: “12345678901”,

“IsEgress”: false,

“IpProtocol”: “tcp”,

“FromPort”: 80,

“ToPort”: 80,

“CidrIpv4”: “0.0.0.0/0”

}

]

}

…………………………………………..

Changes after adding the rule for http (mark the port number 80 newly added to the security group):-

$ aws ec2 describe-security-groups –group-ids sg-xxxxxxxxxx

{

“SecurityGroups”: [

{

“Description”: “My first security group”,

“GroupName”: “myfirst-sg”,

“IpPermissions”: [

{

“FromPort”: 80,

“IpProtocol”: “tcp”,

“IpRanges”: [

{

“CidrIp”: “0.0.0.0/0”

}

“Ipv6Ranges”: [],

“PrefixListIds”: [],

“ToPort”: 80,

“UserIdGroupPairs”: []

{

“FromPort”: 22,

“IpProtocol”: “tcp”,

“IpRanges”: [

{

“CidrIp”: “0.0.0.0/0”

}

“Ipv6Ranges”: [],

“PrefixListIds”: [],

“ToPort”: 22,

“UserIdGroupPairs”: []

}

“OwnerId”: “12345678901”,

“GroupId”: “sg-xxxxxxxxxx”,

“IpPermissionsEgress”: [

{

“IpProtocol”: “-1”,

“IpRanges”: [

{

“CidrIp”: “0.0.0.0/0”

}

“Ipv6Ranges”: [],

“PrefixListIds”: [],

“UserIdGroupPairs”: []

}

“VpcId”: “vpc-xxxxxxxxx”

}

]

}

Adding https inbound rule to your security group

Added rule for https traffic on port 443 by running the following command:-

$ aws ec2 authorize-security-group-ingress –group-id sg-xxxxxxxxxxx –protocol tcp –port 443 –cidr 0.0.0.0/0

The output looks like the following: –

{

“Return”: true,

“SecurityGroupRules”: [

{

“SecurityGroupRuleId”: “sgr-xxxxxxxxxxxx”,

“GroupId”: “sg-xxxxxxxxxxxx”,

“GroupOwnerId”: “12345678901”,

“IsEgress”: false,

“IpProtocol”: “tcp”,

“FromPort”: 443,

“ToPort”: 443,

“CidrIpv4”: “0.0.0.0/0”

}

]

}

Wrapping it up:

In this tutorial, you learnt how to create security groups using either the AWS Management Console or the AWS Command Line Interface. you can use either of the two for creating security groups which you will need whenever you are trying to create an AWS EC2 instance. However, you will first need to install and configure the AWS CLI if you want to use the second method.

Adding inbound rules is critical so that you can allow inbound http and https traffic to your instance. Apart from that, you will need to ssh to your instance and therefore you should allow SSH traffic on Port 80. The security group is just like a firewall and adding rules to it also like adding rules to a firewall.

————————————————————————————————————–