Friday, April 15, 2022

[SOLVED] Source and destination ports are different, so which port number i need to mention in inbound aws security group

Issue

In the port range option of aws inbound/outbound security groups weather we need to mention sourceip port or else destinationip port.

Q1: For example PROD is trying to connect GATEWAY in this case in the gateway inbound security group weather I need to mention the PROD port or else GATEWAY port in the port range column. And in return GATEWAY is trying to connect PROD then in Gateway outbound security group weather I need to mention the PROD port or else GATEWAY port in the port range.


Solution

When defining rules, use the port number associated with the destination. For example:

  • Laptop connects to EC2-Instance
  • Security Group on EC2-Instance permits inbound connections on port 80

It does not matter which port is used as the 'source' port on Laptop. The security group only looks at the destination port.

Another example:

  • EC2-Instance connects to www.example.com on the Internet
  • Security Group on EC2-Instance permits outbound connections on port 80

It does not matter which port is used as the 'source' port on the EC2-Instance.

Security Groups in AWS Virtual Private Clouds (VPCs) are stateful. This means that if traffic is allow 'in', then it is also allowed 'out'. So there is no need to define Outbound rules just to respond to Incoming connections. Responses will be automatically permitted purely as a result of having Inbound rules accept the incoming traffic.



Answered By - John Rotenstein
Answer Checked By - Marie Seifert (WPSolving Admin)