AWS Security Group — What Does It Mean When We Say It Is Stateful ?

A Security Group acts as a virtual firewall, controlling the inbound and outbound network traffic for your EC2 instances within a VPC. By default, security groups block all incoming traffic unless you explicitly allow it.By default Security Group allows all Outbound traffic

Default Security Group Behavior :

• Stateful: If outbound traffic is allowed, the corresponding inbound response traffic is automatically allowed, even if there are no specific inbound rules for it.
• Rules are applied at the instance level.
• Outbound rules specify the allowed destination IP addresses, protocols, and ports.
• Let’s understand the stateful feature of Security Groups in detail with a simple example:

Launch a new EC2 instance. The public IP allocated to it is 3.95.203.191.”

Inbound rule : By default Security Group blocks all incoming traffic. So I added one inbound rule to allow login via SSH on Port 22.

Outbound Rule : “Allow All Outbound Traffic” — By default Security Group allows all Outbound traffic.

I logged into the EC2 terminal via SSH, and I was allowed to log in because I added an inbound rule to allow access via SSH on port 22.

“After logging in, I fired an HTTP GET request to retrieve the quote for the ticker symbol IBM.” curl -X GET "https://www.alphavantage.co/query?function=GLOBAL_QUOTE &symbol=IBM&apikey=your_api_key"

I got the response back in my EC2 terminal. So now, we can ask: How can we get the response back if, by default, EC2 blocks all incoming traffic? The answer lies in the statefulness property of the Security Group.
Security Groups are stateful, meaning connections that are part of an existing outbound connection are allowed back into the instance. Here, the Security Group remembers the ephemeral port from which the request originated to https://www.alphavantage.co, requesting quote details about the ticker symbol IBM through a GET request. When the response returns to that port (i.e., the response containing quote details for the ticker symbol IBM), it is allowed back in, even though no inbound rule exists for it

Conclusion :

Security Group inbound traffic is blocked by default unless it is part of an existing connection. Since it remembers existing connections, Security Groups are stateful.