Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What does Outbound traffic mean for an AWS Security Group assigned to an AWS RDS instance?

Pressing "Launch DB Instance" in the AWS RDS management console is the equivalent of launching a server daemon, if one were to do-it-oneself.

The console also has a setting to associate a "Security Group" to the DB Instance.

The Security Group itself has settings for "Inbound" and for "Outbound" traffic.

inbound and outbound tabs of security groups

The "Inbound" traffic means requests to the server originating from some client somewhere.

What does "Outbound" traffic mean? Are these simply the responses of the db server? In that case, wouldn't it make sense for Inbound and Outbound to always have the same port range and IP addresses?

Relation to previous questions:

This RDS instance is to be coupled with an ElasticBeanstalk instance, not a VPC.

like image 401
Calaf Avatar asked Aug 24 '17 18:08

Calaf


2 Answers

No, outbound traffic rules doesn't affect the responses coming from DB server for external requests(e.g Query, Update, Write & etc.) since security groups are stateful:

Security groups are stateful — if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. Responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules.

Outbound traffic rules in Security Group is used for purposes like downloading patches from external sources for the DB Server in RDS.

like image 64
Ashan Avatar answered Sep 28 '22 06:09

Ashan


AWS security groups are stateful which means you do not need to open the outbound for responses - open only inbound for requests. If you think your instances will be sending requests to certain IPs (for example: to upgrade/install a package), then you need to open the IP/port for that request.

like image 41
helloV Avatar answered Sep 28 '22 07:09

helloV