amazon web services – Looking for a good explanation of how AWS Security groups behave

I’m struggling to get my head round port ranges described by AWS Security Groups and how they behave. I’m a software developer with many years of experience writing networking software so it’s possible I’m just overcomplicating things.

What I’m really looking for is a way to tie up my networking knowledge with the naming and behaviour of AWS.

What confuses me the most is that on TCP or UDP packet there are two port numbers (the sender’s and the recipient’s). And this applies wether the packet is being send from server to client or client to server. So firewall rules can theoretically refer to 4 different ports:

  1. Inbound packet recipient port
  2. Inbound packet sender port
  3. Outbound packet recipient port
  4. Outbound packet sender port

I realise that any (TCP) connection will in practice have only two ports because inbound and outbound packets are mirrors of each other.

Now with all that in mind, the AWS console has just one port for inbound rules and one port for outbound rules. And when I look for examples they often include reference to allowing every port outbound on the same group as a single port inbound (see terraform example).

What precisely does this do?

I’m worried because… I seem to need this egress rule. This seems to allow any client to connect to port 443, from any port. (That’s fine). But can the egress rule from one security group be combined with the ingress rule from another?

Eg: if I add a network group to let my machine act as a HTTP(S) server, like the example, and then I add another rule to let it act as a HTTP(S) client, then I will have one rule allowing any port from anyware and one rule allowing any port to anywhere. Does that completely open up the firewall or must each packet match a security group completely?