Create a security group to support EFA communications - AWS PCS

Create a security group to support EFA communications

AWS CLI

You can use the following AWS CLI command to create a security group that supports EFA. The command outputs a security group ID. Make the following replacements:

  • region-code – Specify the AWS Region where you use AWS PCS, such as us-east-1.

  • vpc-id – Specify the ID of the VPC that you use for AWS PCS.

  • efa-group-name – Provide your chosen name for the security group.

aws ec2 create-security-group \
    --group-name efa-group-name \
    --description "Security group to enable EFA traffic" \
    --vpc-id vpc-id \
    --region region-code

Use the following commands to attach inbound and outbound security group rules. Make the following replacement:

  • efa-secgroup-id – Provide the ID of the EFA security group you just created. 

aws ec2 authorize-security-group-ingress \
    --group-id efa-secgroup-id \
    --protocol -1 \
    --source-group efa-secgroup-id
    
aws ec2 authorize-security-group-egress \
    --group-id efa-secgroup-id \
    --protocol -1 \
    --source-group efa-secgroup-id
CloudFormation template

You can use a CloudFormation template to create a security group that supports EFA. Download the template from the following URL, then upload it into the AWS CloudFormation console. 

https://aws-hpc-recipes.s3.amazonaws.com/main/recipes/pcs/enable_efa/assets/efa-sg.yaml

With the template open in the AWS CloudFormation console, enter the following options.

  • Under Provide a stack name

    • Under Stack name, enter a name such as efa-sg-stack.

  • Under Parameters

    • Under SecurityGroupName, enter a name such as efa-sg.

    • Under VPC, select the VPC where you will use AWS PCS.

Finish creating the CloudFormation stack and monitor its status. When it reaches CREATE_COMPLETE the EFA security group is ready for use.