Amazon Security Groups: VPC vs EC2

Amazon has updated Security Groups for Amazon VPC

Earlier  in April, while adding support for Security Groups within Amazon VPC, Amazon also introduced some major changes such as:

  • outbound filtering
  • fine grained IP protocol tuning
  • ability to apply changes in a one fell swoop

But I found very interesting the fact that we can now change (add/remove) the Security Groups for a running instance. As a customer of AWS, I really love to be able to modify my Security Groups without stopping any instance. I could now start an instance without a deep analysis of what my VPC network will be, and I can adapt it at any time with a minimal impact on the availability of the services my customers are consuming. In my point of view this is a major achievement, because I can adapt my security perimeter on the fly.

I still have some open questions:

In terms of security, I ‘m wondering if the opened/established connection are dropped if I modify my Security Group rule or if I remove it?

Moreover, AWS added NACL (Network Access Control List), which allow now to create DENY firewalling rule. But this seems requiring an internet gateway (VPC specific). This sounds like Amazon was not able to add ACCEPT/DENY options to the Security Group rules even if they added Inbound/Outbound options.

Here is AWS blog-post for more information:  A New Approach to Amazon EC2 Networking

Amazon EC2: public cloud

Unfortunately, I’m not a VPC user, but a EC2 user and it’s a bit frustrating that these brand new features are not available in outside VPC. I’m wondering, if there are any reason why not adding these features to Amazon EC2.

Concerning the Outbound filtering, I can’t see any reason why not adding it for EC2. I would love to hear more about this.

Last, but not least thing that can be discussed is the “one fell swoop” feature. I think this is a step back to true elasticity. Previously, I just had to create a rule and then the rule is automatically and dynamically applied, now I have to build the rule and then apply it just like with a traditional firewall.

/fred

4 thoughts on “Amazon Security Groups: VPC vs EC2

  1. Pingback: Solution: How to change an EC2 instance's security group #it #dev #development | Good Answer

  2. Pingback: How-to: How to change an EC2 instance's security group #solution #development #dev | IT Info

  3. Pingback: Solution: How to change an EC2 instance's security group #computers #development #it | SevenNet

  4. Pingback: How to change an EC2 instance's security group – segmentfault

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s