top of page

Security group traffic sources                

The AWS Management Console lets you control where the instance accepts traffic, which makes a lot of sense. For example, you may accept traffic from anyone who visits your corporate website; as for administrative access to the instance on which your corporate website runs, you may restrict such traffic to your company’s own IP address.

 

Fortunately, AWS provides a lot of flexibility regarding traffic sources fors ecurity group rules.The most obvious source of traffic is from other instances in your applicationor account. For two instances to communicate within AWS, they must either belong to the same security group or you have to configure an instance’s security group to receive traffic from another security group owned by the same account. (The latter option allows you to set an instance’s security group so that it can receive traffic from every instance that has the source security group attached to it; if they do, they can automatically send and receive traffic to and from each other.)

 

But what if the source of the traffic isn’t another AWS instance? Then another set of rules comes into play — one that uses IP addresses rather than security groups to identify the source of acceptable network traffic

 

If you want to accept network traffic from anywhere, simply enter 0.0.0.0/0 as the traffic source. If you want to accept traffic from a single address — say, 123.45.67.89 — enter 123.45.67.89/32.

 

Wait — whydoes one end in /0 and one end in /32? The numbers following the slash (/)refer to CIDR (Classless Inter-domain Routing, if you’re curious). IP addresses always consist of 32 bits and are commonly segregated into four 32-bit segments. CIDR treats the 32 bits differently, using a mask placed on the 32 bits to identify a range of addresses without needing to specify each address.The mask, which is placed from the left most bit in the address, identifies how many of the left-hand bits should be considered part of a general pool of addresses; conversely, the remaining bits can be used to identify specific IP addresses within that pool. CIDR notation is used to identify the size of the common pool.            

 

From the perspective of AWS security groups, if your company’s IP address is 123.45.67.89 and you set a security group traffic source of 123.45.67.89/24, you allow 256 computers within your company’s IP address range of 123.45.67.X (where X is the specific IP address) to access your instance. Depending on how fine-grained the level at which you want to control access, you can use more or fewer bits in the CIDR mask. And there’sno requirement that the IP address be your company’s — you can set the IP address as a partner’s, and then traffic from that address follows the CIDR mask rule you define.                            

© 2023 by Name of Site. Proudly created with Wix.com

  • Facebook App Icon
  • Twitter App Icon
  • Google+ App Icon
bottom of page