A security group acts as a virtual stateful firewall that controls the traffic for one or more instances. This mandatory firewall is configured in a default deny-all mode and customers must explicitly open the ports needed to allow inbound traffic. Traffic can be restricted by protocol, by service port, and also by source IP address (individual IP or CIDR block) or security group.

Security groups can be configured to set different rules for different classes of instances. Consider, for example, the case of a traditional three-tiered web application. The group for the web servers would have port 80 (HTTP) and/or port 443 (HTTPS) open to the Internet. The group for the application servers would have port 8000 (application specific) accessible only to the web server group. The group for the database servers would have port 3306 (MySQL) open only to the application server group. All three groups would permit administrative access on port 22 (SSH), but only from the customer’s corporate network. This mechanism enables the deployment of highly secure applications.

Although enforced at the hypervisor, security groups have capabilities similar to traditional network firewall appliances, such as stateful packet inspection, centralized configuration, and out-of-band rule administration independent from guest OS configuration. Security groups operate not only between subnets but also on each instance interface, providing interface-level network rule granularity as opposed to the subnet-level granularity of traditional network firewall appliances.