Is it considered best practice to disable the Windows Firewall on an Amazon EC2 instance, and control traffic only via EC2 Security Groups?
If I open a port on the server firewall, and then open the same port on the security group, it requires double maintenance.
EDIT:
I found an advantage of doing both. Actually when you filter by IP and port at AWS level , you have more performance as AWS server will do the deny job and the requests do not even reach your server and that saves you more RAM, CPU and bandwidth .
EDIT2:
Actually when you configure windows firewall by mistake to disable 3389 RDP port, your machine is gone.
What do you think ?
Best Answer
I always do both. It's a matter of who you trust more, Amazon, or yourself.
Perhaps one day the AWS security groups may be broken, disabled, circumvented. In that (unlikely) case, I have a second barrier I can rely on.
And if I accidentally leave something open on one, the other one will still block it. It's a bit like double opt-in, or two-factor authentication.
As far as administering a double set of firewall rules goes, for me it's worth it. It's not that many rules. If you have lots, then you should ask yourself whether that one instance is doing too much anyway, which adds a variety of possible points of failure and complexity.
If you do chose to only set up one, I would do the one you have full control of, the one on your instance.