Post

Understanding Firewalls with AWS Security Groups and UFW

November 21, 2025 less than 1 minute read

A practical explanation of how AWS Security Groups and Ubuntu UFW divide responsibility around an EC2 web server.

Two firewall layers

On an EC2 server, traffic is usually controlled by at least two layers:

AWS Security Group at the cloud network boundary.
UFW on the Ubuntu instance.

Both can block traffic, but they operate at different places.

Security Group

A Security Group decides which traffic is allowed to reach the instance from the AWS side.

Common web server rules:

22/tcp only from a trusted IP for SSH.
80/tcp from anywhere for HTTP.
443/tcp from anywhere for HTTPS.

If a port is blocked here, the request never reaches Ubuntu.

UFW

UFW is the host-level firewall. It controls what the operating system allows after traffic reaches the instance.

This gives a second boundary:

sudo ufw status
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

UFW is useful because it keeps host policy visible even when cloud rules change.

Debugging rule

When traffic fails, check from outside to inside:

DNS points to the instance.
Security Group allows the port.
UFW allows the port.
A process is listening on the port.
The application responds correctly.

That order prevents confusing a firewall issue with an application issue.

Tags

devops networking firewall aws ubuntu

Author

Juwon Park

Builder focused on Django, DevOps, automation, and practical AI workflows.

Recent Posts

View all

Auto-PPT Debugging Part 3: Editable Web App and Lightsail Deployment Path
March 30, 2026 1 minute read

Extending the slide generator from text mapping fixes into an editable web app and a deployable Docker, Caddy, Lightsail, and Terraform path.
Terraform 1: Building and Removing a DeepLX Lambda Proxy on AWS
March 22, 2026 1 minute read

A Terraform practice run that built an AWS Lambda proxy path, verified it, and tore it down cleanly.
Reviewing a Selenium-Based Book PDF Crawler Prototype
February 22, 2026 less than 1 minute read

A prototype review for a CLI crawler that searches book metadata and evaluates public PDF candidates with license signals.
Monitoring a MacBook with Zabbix and Email Alerts
January 20, 2026 1 minute read

A Zabbix setup on AWS Lightsail with Docker, a MacBook agent, memory triggers, and Gmail notifications.