Home / Network Security / Fix AWS Security Group Blocking Traffic

Network Security

Fix AWS Security Group Blocking Traffic

Resolve security group traffic blocking by checking inbound rules, port configuration, source ranges, and rule priority.

Published: Apr 1, 20266 min readBy FixWikiHub Editorial Team

Abstract illustration for a troubleshooting knowledge base category.

Introduction

AWS Security Groups act as virtual firewalls controlling inbound and outbound traffic to EC2 instances, RDS databases, and other resources. When traffic is blocked, services can't communicate, causing connection timeouts and application failures.

Symptoms

Connection timeout:

```bash $ curl -v http://ec2-ip.compute.amazonaws.com:80

curl: (28) Failed to connect to IP port 80: Connection timed out ```

SSH connection refused:

```bash $ ssh -i key.pem ec2-user@ec2-ip.compute.amazonaws.com

ssh: connect to host IP port 22: Connection refused ```

Application connectivity failure:

```bash $ telnet ec2-ip 3306

Trying IP... telnet: Unable to connect to remote host: Connection timed out ```

Common Causes

1.Inbound rule missing - No rule allows traffic on required port
2.Wrong source specified - Source IP/CIDR doesn't include your IP
3.Wrong port configured - Rule allows different port
4.Protocol mismatch - TCP rule but UDP traffic
5.Rule order issue - Specific deny overrides allow (NACLs)
6.Multiple security groups - Conflicting rules across groups
7.Network ACL blocking - Subnet NACL more restrictive

Step-by-Step Fix

1.Check logs for specific error messages
2.Verify configuration settings
3.Test network connectivity
4.Review recent changes
5.Apply corrective action
6.Verify the fix

Step 1: Check Security Group Rules

```bash # Get security group details aws ec2 describe-security-groups \ --group-ids sg-12345678 \ --query 'SecurityGroups[*].[GroupName,GroupId]'

# List inbound rules aws ec2 describe-security-groups \ --group-ids sg-12345678 \ --query 'SecurityGroups[*].IpPermissions' ```

Step 2: Check Instance Security Groups

```bash # Get security groups attached to instance aws ec2 describe-instances \ --instance-ids i-12345678 \ --query 'Reservations[*].Instances[*].SecurityGroups[*].[GroupId,GroupName]'

# Instance can have multiple security groups # Traffic allowed if ANY security group allows it ```

Step 3: Verify Inbound Rules for Port

bash # Check specific port aws ec2 describe-security-groups \ --group-ids sg-12345678 \ --query 'SecurityGroups[*].IpPermissions[?FromPort==80 && ToPort==80`]'

# Check port range aws ec2 describe-security-groups \ --group-ids sg-12345678 \ --query 'SecurityGroups[*].IpPermissions[?FromPort>=80 && ToPort<=80]' ```

Step 4: Check Source CIDR Range

```bash # Get your current IP curl -s ifconfig.me

# Check if your IP is in allowed range aws ec2 describe-security-groups \ --group-ids sg-12345678 \ --query 'SecurityGroups[*].IpPermissions[*].IpRanges[*].CidrIp'

# Common sources: # - 0.0.0.0/0: All IPs (public access) # - 10.0.0.0/8: Private VPC range # - YOUR_IP/32: Specific single IP ```

Step 5: Add Missing Inbound Rule

```bash # Add inbound rule for HTTP aws ec2 authorize-security-group-ingress \ --group-id sg-12345678 \ --protocol tcp \ --port 80 \ --cidr 0.0.0.0/0

# Add inbound rule for SSH from specific IP aws ec2 authorize-security-group-ingress \ --group-id sg-12345678 \ --protocol tcp \ --port 22 \ --cidr YOUR_IP/32

# Add inbound rule for range aws ec2 authorize-security-group-ingress \ --group-id sg-12345678 \ --protocol tcp \ --port 80-443 \ --cidr 0.0.0.0/0 ```

Step 6: Check Outbound Rules

```bash # Check outbound rules aws ec2 describe-security-groups \ --group-ids sg-12345678 \ --query 'SecurityGroups[*].IpPermissionsEgress'

# Default security group allows all outbound traffic # Custom groups may restrict outbound ```

Add outbound rule if missing:

bash

aws ec2 authorize-security-group-egress \
  --group-id sg-12345678 \
  --protocol tcp \
  --port 443 \
  --cidr 0.0.0.0/0

Step 7: Check Network ACL

```bash # Get subnet's Network ACL aws ec2 describe-network-acls \ --filters Name=association.subnet-id,Values=subnet-12345678 \ --query 'NetworkAcls[*].[NetworkAclId,Entries]'

# NACL rules: # - Have priority numbers (lower = higher priority) # - Can explicitly deny traffic # - Must have allow rules for both inbound and outbound

# Check if NACL blocks traffic aws ec2 describe-network-acls \ --network-acl-id acl-12345678 \ --query 'NetworkAcls[*].Entries[?PortRange.From==80]' ```

Step 8: Verify Protocol

```bash # Check protocol in rule aws ec2 describe-security-groups \ --group-ids sg-12345678 \ --query 'SecurityGroups[*].IpPermissions[*].[IpProtocol,FromPort,ToPort]'

# Protocols: # - tcp: TCP traffic # - udp: UDP traffic # - icmp: Ping/ICMP # - -1: All protocols

# Add UDP rule if needed aws ec2 authorize-security-group-ingress \ --group-id sg-12345678 \ --protocol udp \ --port 53 \ --cidr 10.0.0.0/8 ```

Step 9: Test Connectivity

```bash # After adding rules, test connection # SSH test ssh -i key.pem ec2-user@PUBLIC_IP

# HTTP test curl -v http://PUBLIC_IP:80

# Port test telnet PUBLIC_IP PORT

# Ping test (requires ICMP rule) ping PUBLIC_IP ```

Step 10: Remove Incorrect Rules

```bash # Remove incorrect rule aws ec2 revoke-security-group-ingress \ --group-id sg-12345678 \ --protocol tcp \ --port 22 \ --cidr OLD_IP/32

# Remove all rules from specific source aws ec2 revoke-security-group-ingress \ --group-id sg-12345678 \ --ip-permissions '[{"IpProtocol":"tcp","FromPort":80,"ToPort":80,"IpRanges":[{"CidrIp":"0.0.0.0/0"}]}]' ```

Common Port Reference

Service	Port	Protocol
SSH	22	TCP
HTTP	80	TCP
HTTPS	443	TCP
MySQL	3306	TCP
PostgreSQL	5432	TCP
Redis	6379	TCP
DNS	53	UDP/TCP
RDP	3389	TCP

Verification

bash # After adding rules, verify connectivity # Check security group aws ec2 describe-security-groups \ --group-ids sg-12345678 \ --query 'SecurityGroups[*].IpPermissions[?FromPort==REQUIRED_PORT`]'

# Test connection curl -v http://INSTANCE_IP:PORT

# Should connect successfully ```

[Fix AWS VPC Peering Connection Not Working](/articles/fix-aws-vpc-peering-connection-not-working)
[Fix AWS EC2 Instance Not Reachable](/articles/fix-aws-ec2-instance-not-reachable)
[Fix AWS Network ACL Blocking Traffic](/articles/fix-aws-network-acl-blocking-traffic)

[Technical troubleshooting: Fix Certificate Chain Incomplete SSL Validation Is](certificate-chain-incomplete-ssl-validation)
[Fix Ddos Attack Mitigation Waf Rate Limiting Issue in Network Security](ddos-attack-mitigation-waf-rate-limiting)
[Fix DNS Hijacking Spoofing Attack Issue in Network Security](dns-hijacking-spoofing-attack)
[Fix firewall iptables rules not persisting across reboot Issue in Network-Security](firewall-iptables-rules-not-persisting-across-reboot)
[Fix firewall rule blocking legitimate traffic Issue in Network-Security](firewall-rule-blocking-legitimate-traffic)

Was this guide helpful?

Related search paths

People also search for

If the symptom is close but not identical, these search paths usually surface the right neighboring fixes faster than scrolling the full archive.

AWS Security Group Blocking Traffic AWS Security Group Blocking Traffic Network Security AWS Security Group Blocking Traffic troubleshooting AWS Security Group Blocking Traffic fix Resolve security group traffic blocking by checking inbound rules, port configuration, source ranges, and rule priority Network Security Resolve security group traffic blocking by checking inbound rules, port configuration, source ranges, and rule priority

Explore Related Topics

Browse Guides from Other Categories

Discover troubleshooting guides from related categories to expand your knowledge.

FAQ

Network Security Troubleshooting FAQs

Common questions about troubleshooting and preventing similar issues

How do I know if this network-security troubleshooting guide applies to my situation?

This guide is designed for network-security issues. If you're experiencing similar symptoms described in the article, follow the step-by-step instructions. Start with the most common causes and work through the diagnostic process.

Is it safe to follow these network-security troubleshooting steps?

Yes, all steps are designed to be safe and non-destructive. We recommend creating backups before making significant changes and testing each step before proceeding to the next.

How long does it typically take to resolve this type of network-security issue?

Most network-security issues can be resolved within 30 minutes to 2 hours, depending on the complexity and root cause. Follow the troubleshooting flow to identify and fix the problem efficiently.

How can I prevent this network-security issue from happening again?

Regular maintenance, monitoring, and following best practices for network-security configuration can help prevent recurrence. Consider implementing automated checks and alerts for early detection.

Written by

FixWikiHub Editorial Team

Our editorial team consists of experienced DevOps engineers, systems administrators, and cloud architects with hands-on experience in production environments across AWS, Azure, GCP, and on-premises infrastructure.

Every guide undergoes technical review for accuracy and is updated when software versions, commands, or best practices change.

Last updated: Apr 1, 2026

About our team

Important Notice

Disclaimer & Safety Guidelines

The troubleshooting steps in this guide are provided for educational and informational purposes. Before applying any changes to production systems:

Test in a staging environment first — Always verify commands and configurations in a non-production environment before deploying to live systems.
Create backups — Ensure you have current backups of databases, configurations, and critical files before making changes.
Understand the impact — Review how each step may affect your specific environment, dependencies, and users.
Consult official documentation — This guide supplements, but does not replace, official vendor documentation and best practices.

FixWikiHub is not responsible for any damages arising from the use of this content. See our Terms of Use for more information.

Resources

Official Documentation & Further Reading

For authoritative information, consult the official documentation for the technologies discussed in this guide. Our troubleshooting content supplements, but does not replace, vendor documentation.

AWS Documentation — Official Amazon Web Services guides and API references
Kubernetes Documentation — Official Kubernetes documentation
Nginx Documentation — Official Nginx web server documentation
Apache Documentation — Official Apache HTTP Server documentation
Docker Documentation — Official Docker container documentation