An AWS Security Group behaves as a virtual firewall for your instance and other supported AWS resources, controlling inbound and outbound traffic. Because Security Groups act at the instance level, not at the subnet level, you must ensure that each instance in your VPC is assigned to a set of Security Groups to allow access to and from your Pureport network.
You can provide granular access by adding rules that allow only specific IP addresses within your network to access to your instances in your VPC.
- For detailed information on AWS Security Groups, refer to the "Security Groups for Your VPC" in the AWS Support Center.
AWS Security Groups are subject to limits on both the number of rules per Security Group and number of Security Groups per network interface. For information on increasing limit, see "How do I increase my security group limits in Amazon VPC?" in the AWS Support Center for details.
Security Group Example
Consider the following Pureport network with:
- AWS VPC in US-EAST-1 (ael-KBtesting-useast1-50mbps)
- Azure VNet in WestUS (ael-KBtesting-westus-50mbps)
- Remote Office (remote-office)
In this example, the networks being advertised via BGP at each connection are:
A web application running in the AWS VPC (connected via the ael-KBtesting-useast1-50mbps connection) may listen on HTTPS port 443. To allow the Azure VNet and Remote Office locations to access the application, you must create an AWS Security Group with the following rules and apply the Security Group to the instances hosting the web application:
Be aware that Security Groups are stateful. If you send a request from your instance, the response is allowed to flow inbound regardless of inbound rules. Responses allowed via inbound rules are allowed to flow out, regardless of outbound rules.
By default, Security Groups deny all traffic; you must specify allow rules for traffic to flow. Add rules that control the inbound traffic to your instances, a separate rule controls outbound traffic.