- Can be attached to multiple instances
- Locked down to a region / VPC combination
- Does live “outside” the EC2 - if traffic is blocked, the EC2 instance won’t see it
- It’s good to maintain one separate security group for SSH access
- If your application is not accessible (time out), then it’s usually a security group issue
- If your application gives a “connection refused” error, then it’s an application error or its not launched
- All inbound traffic is blocked by default
- All outbound traffic authorized by default
They regulate:
- Access to ports
- Authorized IP ranges - IPv4 and IPv6
- Control of inbound network
- Control of outbound network