Security groups act as virtual firewalls for cloud resources. They control traffic at the instance level.
Characteristics:
- Stateful: Return traffic automatically allowed
- Default deny inbound unless you add rules
- Default allow all outbound
- Apply to instances, not subnets
Rule components:
- Protocol: TCP, UDP, ICMP
- Port range
- Source/destination: CIDR or security group ID
Best practices:
- Create separate groups per application tier
- Reference security groups instead of IPs
- Keep rules minimal
Security groups evaluate all rules before deciding. If any rule permits traffic, it passes.