Menu
Amazon Virtual Private Cloud
VPC Peering Guide

Updating Your Security Groups to Reference Peer VPC Groups

You can update the inbound or outbound rules for your VPC security groups to reference security groups in the peered VPC. Doing so allows traffic to flow to and from instances that are associated with the referenced security group in the peered VPC.

Requirements

  • The peer VPC can be a VPC in your account, or a VPC in another AWS account. To reference a security group in another AWS account, include the account number in Source or Destination field; for example, 123456789012/sg-1a2b3c4d.

  • You cannot reference the security group of a peer VPC that's in a different region. Instead, use the CIDR block of the peer VPC.

  • To reference a security group in a peer VPC, the VPC peering connection must be in the active state.

To update your security group rules using the console

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Security Groups.

  3. Select the security group, and choose Inbound Rules to modify the inbound rules or Outbound Rules to modify the outbound rules.

  4. Choose Edit, Add another rule.

  5. Specify the type, protocol, and port range as required. For Source (or Destination for an outbound rule), type the ID of the security group in the peer VPC if it is in the same region or the CIDR block of the peer VPC if it is in a different region.

    Note

    Security groups in a peer VPC are not automatically displayed.

  6. Choose Save.

To update inbound rules using the command line

To update outbound rules using the command line

For example, to update your security group sg-aaaa1111 to allow inbound access over HTTP from sg-bbbb2222 that's in a peer VPC, you can use the following AWS CLI command:

aws ec2 authorize-security-group-ingress --group-id sg-aaaa1111 --protocol tcp --port 80 --source-group sg-bbbb2222

After you've updated the security group rules, use the describe-security-groups command to view the referenced security group in your security group rules.

Identifying Your Referenced Security Groups

To determine if your security group is being referenced in the rules of a security group in a peer VPC, use one of the following commands for one or more security groups in your account.

In the following example, the response indicates that security group sg-bbbb2222 is being referenced by a security group in VPC vpc-aaaaaaaa:

aws ec2 describe-security-group-references --group-id sg-bbbb2222
{ "SecurityGroupsReferenceSet": [ { "ReferencingVpcId": "vpc-aaaaaaaa", "GroupId": "sg-bbbb2222", "VpcPeeringConnectionId": "pcx-b04deed9" } ] }

If the VPC peering connection is deleted, or if the owner of the peer VPC deletes the referenced security group, the security group rule becomes stale.

Working with Stale Security Group Rules

A stale security group rule is a rule that references a security group in a peer VPC where the VPC peering connection has been deleted or the security group in the peer VPC has been deleted. When a security group rule becomes stale, it's not automatically removed from your security group—you must manually remove it. If a security group rule was stale because the VPC peering connection was deleted and you then create a new VPC peering connection with the same VPCs, it will no longer be marked as stale.

You can view and delete the stale security group rules for a VPC using the Amazon VPC console.

To view and delete stale security group rules

  1. Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.

  2. In the navigation pane, choose Security Groups.

  3. Choose View your stale rules in the notification icon on the right (this icon only displays if you have stale security group rules).

  4. To delete a stale rule, choose Edit, and then delete the rule. Choose Save Rules. You can check for stale rules in another VPC by entering the VPC ID in the VPC field.

  5. When you are done, choose Close.

To describe your stale security group rules using the command line or an API

In the following example, VPC A (vpc-aaaaaaaa) and VPC B were peered, and the VPC peering connection was deleted. Your security group sg-aaaa1111 in VPC A references sg-bbbb2222 in VPC B. When you run the describe-stale-security-groups command for your VPC, the response indicates that security group sg-aaaa1111 has a stale SSH rule that references sg-bbbb2222.

aws ec2 describe-stale-security-groups --vpc-id vpc-aaaaaaaa
{ "StaleSecurityGroupSet": [ { "VpcId": "vpc-aaaaaaaa", "StaleIpPermissionsEgress": [], "GroupName": "Access1", "StaleIpPermissions": [ { "ToPort": 22, "FromPort": 22, "UserIdGroupPairs": [ { "VpcId": "vpc-bbbbbbbb", "PeeringStatus": "deleted", "UserId": "123456789101", "GroupName": "Prod1", "VpcPeeringConnectionId": "pcx-b04deed9", "GroupId": "sg-bbbb2222" } ], "IpProtocol": "tcp" } ], "GroupId": "sg-aaaa1111", "Description": "Reference remote SG" } ] }

After you've identified the stale security group rules, you can delete them using the revoke-security-group-ingress or revoke-security-group-egress commands.