Does Ubuntu UFW overrides Amazon Ec2's security groups and rules?

Question

If I'm configuring UFW and also Amazon EC2 Security group, which will override the other, or do they both co-exist without any issues?

Answer 1

A firewall like UFW is running at the OS level, while Amazon Security Groups are running at the instance level. Traffic coming into the EC2 would first pass through the SG, and then be evaluated by UFW. Take a scenario where traffic is explicitly allowed to pass through the SG but UFW denies it -- in this case UFW would sort of 'override' the settings in the SG.

As long as you manage both effectively they _could_ coexist without issues.

Answer 2

I strongly recommend you to use only "SG(Security Group)" on EC2 even though we can use both "SG" and "UFW. "SG" is a firewall same as "UFW".

When only "SG" allowed "SSH 22" and "UFW" didn't allow "SSH 22" then I logged out ubuntu, I couldn't log in to ubuntu forever, then I terminated ubuntu.

Even though "SG" allowed "SSH 22", I couldn't log in to ubuntu because "UFW" didn't allow "SSH 22". So if either of them doesn't allow "SSH 22", "SSH 22" doesn't work. If both "SG" and "UFW" allow "SSH 22", "SSH 22" works, then we can log in to ubuntu.

I also experimented with "HTTP 80". When only "SG" allowed "HTTP 80" and "UFW" didn't allow "HTTP 80", "HTTP 80" didn't work. When "SG" and "UFW" allowed "HTTP 80", "HTTP 80" worked.

Just remember like "If both allow, it works" and "If only either of them allow, it doesn't work". Actually, using both of them makes complication and some trobles. So again, I really recommend you to use only "SG" on EC2 which is simpler than using both of them.