# Security Groups
* Acts as a **"virtual firewall" for your EC2 instances** to **control incoming and outgoing traffic** (traffic going into your instance and traffic going out of your instance).
* **If you don't specify a security group, EC2 uses the default security group.**
* Can **only add allow rules to security groups**.
* **Can't add deny rules**.
* You can **modify the rules for a security group at any time**.
* **Stateful**
* Regardless of any rules, **return traffic is automatically always allowed.**
## Parameters for creating a security group
* **Name**
* The name for the security group**.**
* **Protocol**
* The protocol to allow.
* The most common protocols are 6 (TCP), 17 (UDP), and 1 (ICMP).
* **Port range**
* For TCP, UDP, or a custom protocol, the range of ports to allow.
* You can specify a single port number or a range of port numbers.
* **ICMP type and code**
* For ICMP, the ICMP type and code.
* **Source or destination**
* The source (inbound rules) or destination (outbound rules) for the traffic.
* Specify one of these options:
* An individual IPv4 address.
* An individual IPv6 address.
* A range of IPv4 addresses, in CIDR block notation.
* A range of IPv6 addresses, in CIDR block notation.
* A prefix list ID.
* Another security group.
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://karansingh.gitbook.io/aws-saa-c02/ec2/security-groups.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.