Are Security Groups really associated with Instances in AWS?

Are Security Groups really associated with instances?

What do you think? If yes, then that’s what I thought until I saw something while reading the AWS Certified Solutions Architect Study Guide.

It’s very common to say that Security Groups are associated with instances and Network Access Control Lists (NACLs) are associated with subnets, and that’s the most basic difference between both of them. But to be more precise, what I found is that security groups are associated with ENIs, not directly to the instances.

Those who don’t know what are security groups are, then let me help you to make them familiar with you.

It says instance’s ENI, so what’s basically an ENI? Have you heard of Network Interface Cards? I hope you know the functioning of those cards, if not then it’s not a big deal just continue to read. The NICs that we know, in AWS cloud architecture they are called Elastic Network Interfaces (ENIs). The Elastic Network Interface gives the instances an ability to carry out communication with other network resources. These network resources can be AWS services, other instances, your on-premises servers, and the world wide web.

An instance can have multiple ENIs but there’s always a primary network interface present which is also known as primary ENI.

And do you know why can’t you launch an instance without specifying a subnet with it?

The reason is that the primary ENI of an instance is connected to only one subnet and you can’t just detach or remove the primary ENI from an instance. That’s why it becomes necessary to specify a subnet during the launch.

And there are more amazing facts about ENIs. Like an ENI doesn’t always need to be attached to an instance, it can exist independently! And since ENIs are independent, they can be created separately in a subnet and then later can be attached to an instance as a primary or secondary. You can also preserve the ENIs upon the deletion or termination of the instances.

I hope the concept is now clearer to you. In practice, most of the instances have only one ENI and that’s the reason why people think that security groups are associated with instances and forgets about ENIs. I can guess what you are thinking. What if an instance has more than one ENIs? Yes, it happens, and it’s not necessary for all the ENIs of an instance to be associated with only one security group, instead, they can be linked to different ones.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Aditya Gaur

CCSK | AWS & Azure Certified Cloud Practitioner | ISO Certified ISMS & PIMS Auditor