Issue
In the port range option of aws inbound/outbound security groups weather we need to mention sourceip port or else destinationip port.
Q1: For example PROD is trying to connect GATEWAY in this case in the gateway inbound security group weather I need to mention the PROD port or else GATEWAY port in the port range column. And in return GATEWAY is trying to connect PROD then in Gateway outbound security group weather I need to mention the PROD port or else GATEWAY port in the port range.
Solution
When defining rules, use the port number associated with the destination. For example:
Laptop
connects toEC2-Instance
- Security Group on
EC2-Instance
permits inbound connections on port 80
It does not matter which port is used as the 'source' port on Laptop
. The security group only looks at the destination port.
Another example:
EC2-Instance
connects towww.example.com
on the Internet- Security Group on
EC2-Instance
permits outbound connections on port 80
It does not matter which port is used as the 'source' port on the EC2-Instance
.
Security Groups in AWS Virtual Private Clouds (VPCs) are stateful. This means that if traffic is allow 'in', then it is also allowed 'out'. So there is no need to define Outbound rules just to respond to Incoming connections. Responses will be automatically permitted purely as a result of having Inbound rules accept the incoming traffic.
Answered By - John Rotenstein Answer Checked By - Marie Seifert (WPSolving Admin)