Search code examples
amazon-web-servicesamazon-rdsaws-security-group

AWS Security Group Meaning of Port 0 in Custom TCP Rule

I have a Custom TCP rule in Outbound Security Configuration with Port Range as 0. Does this 0 means it is open to all ports to the ip range provided in the rule?. I have faced issues with this 0 as port when I changed this to correct port(5432) number after which it works fine.

Solution

  • I assume you are talking about the inbound rules (ingress) and outbound rules (egress) of a security group. A security group being a firewall around an AWS component - in your case, as your using port 5432, a PostgreSQL RDS database.

    I just tested it on my side. I had a working inbound rule for accessing an EC2 server. When I changed the port to 0 - I could no longer access it. If you were to allow inbound\outbound traffic to all the ports you would specify: 0-65535

    enter image description here

    So as far as I can tell port 0 specified on its own doesn't seem to give any access.

    Besides the 0-65535 port range, there is another valid port value when working with Cloudformation: -1. This is used for the ICMP and ICMPv6 protocols. Some mention of it here. You can not specify -1 as a port number when working with the AWS GUI.

    If you are worried about security and just want to create an inbound rule for yourself - make sure to specify your /32 CIDR as a suffix to the IP address as per the previous image where TCP access is given across all ports to someone at the 1.2.3.4 IP address. Using a CIDR other than /32 will allow access to other IP addresses O_O

    If you are new to working with security groups also please note the following:

    Security groups are stateful - if you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound security group rules. Responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules.

    In other words, don't create a possible security risk by unnecessarily duplicating inbound rules to outbound rules (or vica verca) if you mistakenly thought that you had to create a inbound\outbound rule to handle the responses to the allowed inbound\outbound traffic.