I am doing the online Aviatrix Certified Engineer - Multi-Cloud Network Associate Course. In the AWS Networking 101 section, it is stated that Security Groups can only contain inbound rules. Pretty sure this is not the case and you can also write outbound rules with SG. (https://docs.aws.amazon.com/quicksight/latest/user/vpc-security-groups.html). Perhaps the course can be updated?
Good find Thomas.
Yes, AWS SGs can certainly have outbound rules configured as you noted.
My experience is that most folks keep the default Allow All outbound behavior and leverage the stateful inbound rules of the SGs to allow the outbound response. Although not technically correct, it's been quite common to hear that you only configure inbound rules for SGs.
If we think about the SGs applied to something like EC2 or RDS resources, the outbound response traffic here would be originating from that AWS resource that you would own and trust to some degree, sitting inside your VPC, responding to that original inbound request.
That being said, if you know exactly the destination and/or port ranges the outbound traffic would be sent to, in response to the incoming requests, it certainly wouldn't be a bad thing to add outbound rules as another layer to prevent outgoing traffic to unexpected destinations. If you're dealing with larger environments with hundreds of SGs, this can get challenging to manage and be tricky to troubleshoot if you have application traffic flowing through a variety of resources, all with inbound and outbound SG rules in place.
Another option here may be to keep the default Allow All outbound SG rule, but then leverage the Aviatrix FQDN egress filtering at the VPC level. This greatly simplifies the SG rule complexity at scale, but still gives you some control of the outbound traffic.
One could even throw FireNet into the picture here and do egress inspection at a firewall level. Really all depends on what you're trying to protect against with that response traffic egress and the configuration and operational overhead tradeoffs.
All the best with your study Thomas!
You're catching errors in the course material as you go through it so I'm certain you'll do great on the exam!
Mike Fischer Thanks for the response, Mike. I agree that majority of the time people only configure inbound rules on SGs. The one scenario I've had is wanting to tighten security on EC2-level - as opposed to subnet - to only allow outbound traffic to Internet via explicit proxy or locking it down to known ports (eg. http, https only). I haven't reached that part of the course yet but FQDN egress filtering sounds nice!
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.