amazon-web-servicesaws-security-group

What does 0.0.0.0/0 and ::/0 mean?


In a security group, for every inbound port I add, two rules are added, one for 0.0.0.0/0, the other ::/0. What do they each mean?


Solution

  • The default route in Internet Protocol Version 4 (IPv4) is designated as the zero-address 0.0.0.0/0 in CIDR notation, often called the quad-zero route. The subnet mask is given as /0, which effectively specifies all networks, and is the shortest match possible.

    The other would be for IPv6

    Source Default Route

    AWS Documentation

    Security Groups for Your VPC

    A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign the instance to up to five security groups. Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC could be assigned to a different set of security groups. If you don't specify a particular group at launch time, the instance is automatically assigned to the default security group for the VPC.

    For each security group, you add rules that control the inbound traffic to instances, and a separate set of rules that control the outbound traffic.

    Default Security Group for Your VPC

    Your VPC automatically comes with a default security group. Each EC2 instance that you launch in your VPC is automatically associated with the default security group if you don't specify a different security group when you launch the instance.

    The following table describes the default rules for a default security group.

    Inbound

    Source      The security group ID (sg-xxxxxxxx)
    Protocol    All
    Port Range  All
    Comments    Allow inbound traffic from instances assigned to the same security group.
    

    Outbound

    Destination 0.0.0.0/0   
    Protocol    All
    Port Range  All
    Comments    Allow all outbound IPv4 traffic.
    
    Destination ::/0    
    Protocol    All     
    Port Range  All     
    Comments    Allow all outbound IPv6 traffic. This rule is added by default if you create a VPC with an IPv6 CIDR block or if you associate an IPv6 CIDR block with your existing VPC.
    

    Recommended Network ACL Rules for Your VPC