Why have both security groups and iptables on Amazon EC2?

Solution 1:

The security groups add no load to your server - they are processed externally, and block traffic to and from your server, independent of your server. This provides an excellent first line of defense that is much more resilient than the one residing on your server.

However, security groups are not state-sensitive, you cannot have them respond automatically to an attack for instance. IPTables are well suited to more dynamic rules - either adapting to certain scenarios, or providing finer grained conditional control.

Ideally you should use both to complement each other - block all the ports possible with your security group, and use IPTables to police the remaining ports and protect against attacks.

Solution 2:

Think about the security group like a hardware firewall in a normal networking scenario. I guess you wouldn't really have to use both unless you had a special scenario, for example: you have a security group called webservers that controls access to web servers. You want to block an IP from hitting port 80 on one of those servers but not all of them. So what you would want to do is go into iptables on that one server and do the block, as opposed to doing it in the security group which would apply to all the servers in that security group...