Amazon has updated Security Groups for Amazon VPC
Earlier in April, while adding support for Security Groups within Amazon VPC, Amazon also introduced some major changes such as:
- outbound filtering
- fine grained IP protocol tuning
- ability to apply changes in a one fell swoop
But I found very interesting the fact that we can now change (add/remove) the Security Groups for a running instance. As a customer of AWS, I really love to be able to modify my Security Groups without stopping any instance. I could now start an instance without a deep analysis of what my VPC network will be, and I can adapt it at any time with a minimal impact on the availability of the services my customers are consuming. In my point of view this is a major achievement, because I can adapt my security perimeter on the fly.
I still have some open questions:
In terms of security, I ‘m wondering if the opened/established connection are dropped if I modify my Security Group rule or if I remove it?
Moreover, AWS added NACL (Network Access Control List), which allow now to create DENY firewalling rule. But this seems requiring an internet gateway (VPC specific). This sounds like Amazon was not able to add ACCEPT/DENY options to the Security Group rules even if they added Inbound/Outbound options.
Here is AWS blog-post for more information: A New Approach to Amazon EC2 Networking
Amazon EC2: public cloud
Unfortunately, I’m not a VPC user, but a EC2 user and it’s a bit frustrating that these brand new features are not available in outside VPC. I’m wondering, if there are any reason why not adding these features to Amazon EC2.
Concerning the Outbound filtering, I can’t see any reason why not adding it for EC2. I would love to hear more about this.
Last, but not least thing that can be discussed is the “one fell swoop” feature. I think this is a step back to true elasticity. Previously, I just had to create a rule and then the rule is automatically and dynamically applied, now I have to build the rule and then apply it just like with a traditional firewall.