What is the difference between inbound and outbound security group rules?

Inbound rules control incoming traffic to your resources (e.g., allowing SSH on port 22 from your IP). Outbound rules control traffic leaving your resources (e.g., allowing HTTPS on port 443 to the internet). By default, security groups allow all outbound traffic and deny all inbound traffic until you add rules.

How do I specify a source or destination in security group rules?

You can specify sources/destinations using CIDR blocks (like 10.0.0.0/16 or 0.0.0.0/0 for anywhere), another security group ID (for instance-to-instance communication), or a prefix list. Using security group references instead of CIDR blocks is a best practice for internal traffic as it adapts to IP changes.

What are common ports I should open in my security group?

Common ports include: SSH (22) for Linux access, RDP (3389) for Windows, HTTP (80) and HTTPS (443) for web traffic, MySQL (3306), PostgreSQL (5432), and MongoDB (27017) for databases, and custom application ports. Always restrict source IPs to the minimum required - avoid 0.0.0.0/0 except for public web servers.

How do I generate Terraform code for security groups?

Our Security Group Builder generates ready-to-use Terraform code with aws_security_group and aws_security_group_rule resources. Simply add your inbound and outbound rules visually, then copy the generated HCL code. The output includes proper resource naming, descriptions, and follows Terraform best practices.

What are security group best practices for AWS?

Key best practices include: use the principle of least privilege (only open required ports), prefer security group references over CIDR for internal traffic, use descriptive names and tags, create separate security groups per application tier, regularly audit rules for unused entries, and never use 0.0.0.0/0 for sensitive ports like SSH or RDP.

Can I attach multiple security groups to an EC2 instance?

Yes, you can attach up to 5 security groups to an EC2 instance (this limit can be increased). When multiple security groups are attached, all rules are evaluated together - traffic is allowed if ANY attached security group permits it. This allows modular security group design where you combine groups for different purposes.

Is this Security Group Builder free to use?

Yes, our Security Group Builder is completely free with no registration required. Design your security group rules visually, add common ports with one click, and generate Terraform or CloudFormation code instantly. Your configurations are processed locally and we never store your data.

sg-builder

AWS Security Group Builder - Free Firewall Rules Generator

Design AWS security group rules visually and generate ready-to-use Terraform or CloudFormation code. Add inbound and outbound rules with quick-add for common ports. Perfect for VPC security planning and infrastructure as code workflows.

Security Group Name

VPC ID

Quick add common rules:

Inbound Rules (1)

Protocol

From Port

To Port

Source CIDR

Description

Outbound Rules (0)

No custom outbound rules. Default allows all outbound traffic.

Generated Code

resource "aws_security_group" "my_security_group" {
  name        = "my-security-group"
  description = "Managed by Terraform"
  vpc_id      = "vpc-xxxxxxxx"

  ingress {
    description = "HTTPS from anywhere"
    from_port   = 443
    to_port     = 443
    protocol    = "tcp"
    cidr_blocks = ["0.0.0.0/0"]
  }

  egress {
    from_port   = 0
    to_port     = 0
    protocol    = "-1"
    cidr_blocks = ["0.0.0.0/0"]
  }

  tags = {
    Name = "my-security-group"
  }
}

Security Best Practices

Avoid using 0.0.0.0/0 for SSH/RDP - restrict to your IP
Use security group references instead of CIDR when possible
Apply principle of least privilege

What You Get

Visual Rule Builder

Add inbound and outbound rules
Quick-add common ports (SSH, HTTP, HTTPS)
Custom protocol and port ranges
CIDR block and security group sources
Rule descriptions for documentation

Code Generation

Terraform HCL output
CloudFormation YAML/JSON
AWS CLI commands
Copy to clipboard instantly
Proper resource naming

Best Practices

Least privilege recommendations
Common port presets
Security group naming conventions
VPC integration patterns
Multi-tier architecture support

How to Use This Tool

Name Your Security Group

Enter a descriptive name and optional description for your security group

Add Rules

Add inbound and outbound rules using quick-add buttons or custom configurations

Export Code

Copy generated Terraform or CloudFormation code for your infrastructure

Common Security Group Ports Reference

Port	Protocol	Service	Recommended Source	Use Case
22	TCP	SSH	Your IP or bastion SG	Linux server access
3389	TCP	RDP	Your IP or VPN	Windows server access
80	TCP	HTTP	0.0.0.0/0 or ALB SG	Web traffic (unencrypted)
443	TCP	HTTPS	0.0.0.0/0 or ALB SG	Web traffic (encrypted)
3306	TCP	MySQL	App server SG only	MySQL/MariaDB database
5432	TCP	PostgreSQL	App server SG only	PostgreSQL database
6379	TCP	Redis	App server SG only	Redis cache/queue
27017	TCP	MongoDB	App server SG only	MongoDB database

Why Security Groups Matter for AWS Infrastructure

Security groups are your first line of defense in AWS. They act as stateful firewalls at the instance level, controlling which traffic can reach your EC2 instances, RDS databases, Lambda functions in VPCs, and other resources. Unlike network ACLs which are stateless, security groups automatically allow return traffic.

Proper security group design follows the principle of least privilege - only opening the exact ports needed for your application to function. This limits the attack surface and contains potential breaches. Referencing other security groups instead of CIDR blocks allows your rules to adapt as IPs change.

Infrastructure as Code tools like Terraform and CloudFormation make security group management reproducible and auditable. Instead of clicking through the AWS console, you define rules in version-controlled code. This enables peer review, automated testing, and consistent deployments across environments.

Multi-tier architectures typically use separate security groups for each layer: a public-facing ALB security group allowing HTTPS from anywhere, an application security group allowing traffic only from the ALB, and a database security group allowing connections only from the application tier. This defense-in-depth approach protects sensitive resources.

Frequently Asked Questions

An AWS Security Group acts as a virtual firewall for your EC2 instances, RDS databases, and other resources. It controls inbound and outbound traffic at the instance level using rules based on protocol, port, and source/destination. Security groups are stateful, meaning if you allow inbound traffic, the response is automatically allowed outbound.

Related Tools