Inbound rules

When you create a security group, it has no inbound rules. No inbound traffic originating from another host to your instance is allowed until you add inbound rules to the security group.

The security group attached to the QuickSight network interface behaves differently than most security groups, because it isn't stateful. Other security groups are usually stateful. This means that, after they establish an outbound connection to a resource's security group, they automatically allow return traffic. In contrast, the QuickSight network interface security group doesn't automatically allow return traffic. Because of this, adding an egress rule to the QuickSight network interface security group doesn't work. To make it work for the QuickSight network interface security group, make sure to add an inbound rule that explicitly authorizes the return traffic from the database host.

The inbound rule in your security group must allow traffic on all ports. It needs to do this because the destination port number of any inbound return packets is set to a randomly allocated port number.

To restrict QuickSight to connect only to certain instances, you can specify the security group ID (recommended) or private IP address of the instances that you want to allow. In either case, your security group inbound rule still needs to allow traffic on all ports (0–65535).

To allow QuickSight to connect to any instance in the VPC, you can configure the QuickSight network interface security group. In this case, give it an inbound rule to allow traffic on 0.0.0.0/0 on all ports (0–65535). The security group used by the QuickSight network interface should be different than the security groups used for your databases. We recommend that you use separate security groups for VPC connection.