5

While playing around with AWS console, I tried the following

  1. Launched an EC2 instance (public IP enabled) in the default VPC with the default security group, and default subnet.
  2. EC2 launched in the default subnet with a public IP.
  3. pinged the EC2 instance from the command prompt using the public IP.
  4. got request timed out.
  5. noticed that the default security group inbound rule allows traffic only from the sources within the security group.
  6. modified the security group inbound rule and allowed traffic from anywhere (0.0.0.0/0)
  7. pinged the EC2 instance using the public IP again.
  8. got a response from the server. All good until now.
  9. ping reply from EC2 host continues to show up in the console.
  10. I deleted the inbound security group rule. Now there are no inbound rules for the security group.
  11. on the terminal, reply from EC2 instance continues to show.

My question is - Why I am seeing a reply from the host (EC2 instance) even though the security group's inbound rule has been deleted?

Doesn't the change to the inbound security group rule applies immediately? Why the host (EC2 instance) continues responding without an inbound security group rule?

Nishant
  • 153
  • 3

1 Answers1

9

The change applies immediately, but security group rules control establisment of new traffic flows (identified by source and destination address, protocol, and port numbers for protocols that use port numbers).

Depending on the specific rule in question, flows may or may not be actively tracked by the network, but ICMP flows are always tracked. Once a tracked flow is established, the flow no longer needs to match a rule because the network has created a state table entry for the flow that will persist until the network removes it, either due to an inactivity timeout or due to a close/reset for connection-oriented protocols like TCP.

Tracked flows are not disrupted by removal of the rule that allowed them to be created.

Stop the ping and restart it. If it continues to work, stop it and wait a few seconds before restarting it. You should find that shortly after removing the rule, a new attempt to ping the target instance results in a timeout.

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html#security-group-connection-tracking

Michael - sqlbot
  • 21,988
  • 1
  • 57
  • 81
  • "Stop the ping and restart it. If it continues to work, stop it and wait a few seconds before restarting it. You should find that shortly after removing the rule, a new attempt to ping the target instance results in a timeout." - exactly this is what happened. Thanks for the answer. – Nishant Apr 20 '19 at 00:58