Security groups act as virtual firewalls at the instance level by restricting all inbound traffic and only allowing relevant traffic to the instance. These rules work at the instance level, and are associated with the virtual network interface.
If an instance is not assigned to a custom security group, it will be assigned to the default security group. This security group has the following rules:
Inbound | ||
Source | Protocol | Port range |
The same security ID (sg-0axxx) | All | All |
Outbound | ||
Source | Protocol | Port range |
0.0.0.0/0 | All | All |
This means that two instances associated with the same security group can communicate with each other, denying any kind of ingress traffic.
Security groups are stateful, meaning that any rule allowed for ingress is also allowed to egress the instance. Only allow rules can be specified, because anything that is not permitted is denied by default.
To test this behavior, you can launch an EC2 instance in the public subnet, log in to the instance, and perform a PING to aws.amazon.com; you will receive a PING response, but if you try to PING from your local computer, the response will be denied.