ACE - Multi-Cloud Network Associate Course - AWS VPC Security Groups
I am doing the online Aviatrix Certified Engineer - Multi-Cloud Network Associate Course. In the AWS Networking 101 section, it is stated that Security Groups can only contain inbound rules. Pretty sure this is not the case and you can also write outbound rules with SG. (https://docs.aws.amazon.com/quicksight/latest/user/vpc-security-groups.html). Perhaps the course can be updated?
Good find Thomas.
Yes, AWS SGs can certainly have outbound rules configured as you noted.
My experience is that most folks keep the default Allow All outbound behavior and leverage the stateful inbound rules of the SGs to allow the outbound response. Although not technically correct, it's been quite common to hear that you only configure inbound rules for SGs.
If we think about the SGs applied to something like EC2 or RDS resources, the outbound response traffic here would be originating from that AWS resource that you would own and trust to some degree, sitting inside your VPC, responding to that original inbound request.
That being said, if you know exactly the destination and/or port ranges the outbound traffic would be sent to, in response to the incoming requests, it certainly wouldn't be a bad thing to add outbound rules as another layer to prevent outgoing traffic to unexpected destinations. If you're dealing with larger environments with hundreds of SGs, this can get challenging to manage and be tricky to troubleshoot if you have application traffic flowing through a variety of resources, all with inbound and outbound SG rules in place.
Another option here may be to keep the default Allow All outbound SG rule, but then leverage the Aviatrix FQDN egress filtering at the VPC level. This greatly simplifies the SG rule complexity at scale, but still gives you some control of the outbound traffic.
One could even throw FireNet into the picture here and do egress inspection at a firewall level. Really all depends on what you're trying to protect against with that response traffic egress and the configuration and operational overhead tradeoffs.
All the best with your study Thomas!
You're catching errors in the course material as you go through it so I'm certain you'll do great on the exam!