I had a very specific question regarding SGs speficcally around Inbound and Outbound rules.

Situation Lets say we have an EC2 instance with SG-12345 which is trying to talk to a MYSQL database on SG-98765 and I want an Ec2 to talk to the database. I read the AWS documentation that Security Groups are stateful. Given this the question I had was:-

Is there any difference between adding the DATABASE SG (SG-98765) to the OUTBOUND RULES of the EC2 (SG-12345) vs adding the EC2 SG (SG-12345) to the INBOUND RULES of the DATABASE SB (SG-98765)?

CodePudding user response：

Is there any difference between adding the DATABASE SG (SG-98765) to the OUTBOUND RULES of the EC2 (SG-12345) vs adding the EC2 SG (SG-12345) to the INBOUND RULES of the DATABASE SB (SG-98765)?

Yes. If you don't add both rules, the connection will be denied.

The statefulness of security groups does not apply across multiple security groups. It simply allows responses to requests that were permitted by the security group to also be permitted by the security group. Both security groups still have to allow the initial network request.

Often you will see security groups on an EC2 instance allow all outbound traffic by default, or allow all outbound traffic to the VPC CIDR perhaps. And then the inbound rules on the database would control what can actually connect to the database.