What Is a Security Group? A Virtual Firewall for Resources
A security group is a stateful virtual firewall attached to cloud resources that decides which inbound and outbound traffic is allowed, based on rules you define.
In a cloud network, a security group wraps a resource and filters traffic by port, protocol, and source. It is stateful, so a permitted inbound request automatically allows its reply out. Misconfigured security groups are one of the most common reasons a pipeline cannot reach a database or service it is deploying to.
Rules by port and source
A security group rule allows traffic on a port or range from a specified source, which can be an IP range or another security group. Anything not explicitly allowed is denied.
Stateful filtering
Because security groups are stateful, you only need an inbound rule for a request; the response is allowed back automatically. This differs from stateless network ACLs, which need rules in both directions.
Inbound and outbound
- Inbound rules control who can connect to the resource.
- Outbound rules control where the resource can reach.
- Defaults often allow all outbound and deny all inbound.
Security groups and CI access
A runner deploying to a database needs an inbound rule on the database security group permitting the runner source on the database port. Without it, the connection times out.
Referencing other groups
Cleaner setups let one security group reference another instead of hardcoding IPs. This is robust against changing runner addresses, unlike pinning to a specific IP that may rotate.
A block is not a blip
A security group denial fails identically every run until you add the rule, so it is not retryable. Latchkey runners retry genuine transient timeouts, but a security-group block must be fixed by opening the right rule.
Key takeaways
- A security group is a stateful virtual firewall controlling traffic to a resource.
- Allowed inbound requests get their replies back automatically because it is stateful.
- A blocked connection is a rule problem to fix, not a transient failure to retry.