Identify your referenced security groups Work with stale security group rules

Update your security groups to reference peer security groups

You can update the inbound or outbound rules for your VPC security groups to reference security groups in the peered VPC. Doing so allows traffic to flow to and from instances that are associated with the referenced security group in the peered VPC.

Requirements

The peer VPC can be a VPC in your account, or a VPC in another AWS account. To reference a security group in another AWS account, include the account number in Source or Destination field; for example, 123456789012/sg-1a2b3c4d.
You cannot reference the security group of a peer VPC that's in a different Region. Instead, use the CIDR block of the peer VPC.
To reference a security group in a peer VPC, the VPC peering connection must be in the active state.
If you configure routes to forward the traffic between two instances in different subnets through a middlebox appliance, you must ensure that the security groups for both instances allow traffic to flow between the instances. The security group for each instance must reference the private IP address of the other instance, or the the CIDR range of the subnet that contains the other instance, as the source. If you reference the security group of the other instance as the source, this does not allow traffic to flow between the instances.

To update your security group rules using the console

Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
In the navigation pane, choose Security groups.
Select the security group, and choose Actions, Edit inbound rules to modify the inbound rules or choose Actions, Edit outbound rules to modify the outbound rules.
To add a rule, choose Add rule and specify the type, protocol, and port range. For Source (inbound rule) or Destination (outbound rule), enter the ID of the security group in the peer VPC if it is in the same Region or the CIDR block of the peer VPC if it is in a different Region.

Note
Security groups in a peer VPC are not automatically displayed.
To edit an existing rule, change its values (for example, the source or the description).
To delete a rule, choose Delete next to the rule.
Choose Save rules.

To update inbound rules using the command line

authorize-security-group-ingress (AWS CLI)
Grant-EC2SecurityGroupIngress (AWS Tools for Windows PowerShell)
Revoke-EC2SecurityGroupIngress (AWS Tools for Windows PowerShell)
revoke-security-group-ingress (AWS CLI)

To update outbound rules using the command line

authorize-security-group-egress (AWS CLI)
Grant-EC2SecurityGroupEgress (AWS Tools for Windows PowerShell)
Revoke-EC2SecurityGroupEgress (AWS Tools for Windows PowerShell)
revoke-security-group-egress (AWS CLI)

For example, to update your security group sg-aaaa1111 to allow inbound access over HTTP from sg-bbbb2222 that's in a peer VPC, you can use the following AWS CLI command:


aws ec2 authorize-security-group-ingress --group-id sg-aaaa1111 --protocol tcp --port 80 --source-group sg-bbbb2222

After you've updated the security group rules, use the describe-security-groups command to view the referenced security group in your security group rules.

Identify your referenced security groups

To determine if your security group is being referenced in the rules of a security group in a peer VPC, use one of the following commands for one or more security groups in your account.

describe-security-group-references (AWS CLI)
Get-EC2SecurityGroupReference (AWS Tools for Windows PowerShell)
DescribeSecurityGroupReferences (Amazon EC2 Query API)

In the following example, the response indicates that security group sg-bbbb2222 is being referenced by a security group in VPC vpc-aaaaaaaa:


aws ec2 describe-security-group-references --group-id sg-bbbb2222


{    
  "SecurityGroupsReferenceSet": [
    {
      "ReferencingVpcId": "vpc-aaaaaaaa",
      "GroupId": "sg-bbbb2222",
      "VpcPeeringConnectionId": "pcx-b04deed9"       
    }   
  ]
}

If the VPC peering connection is deleted, or if the owner of the peer VPC deletes the referenced security group, the security group rule becomes stale.

Work with stale security group rules

A stale security group rule is a rule that references a deleted security group in the same VPC or in a peer VPC, or that references a security group in a peer VPC for which the VPC peering connection has been deleted. When a security group rule becomes stale, it's not automatically removed from your security group—you must manually remove it. If a security group rule is stale because the VPC peering connection was deleted, the rule will no longer be marked as stale if you create a new VPC peering connection with the same VPCs.

You can view and delete the stale security group rules for a VPC using the Amazon VPC console.

To view and delete stale security group rules

Open the Amazon VPC console at https://console.aws.amazon.com/vpc/.
In the navigation pane, choose Security groups.
Choose Actions, Manage stale rules.
For VPC, choose the VPC with the stale rules.
Choose Edit.
Choose the Delete button next to the rule that you want to delete. Choose Preview changes, Save rules.

To describe your stale security group rules using the command line or an API

describe-stale-security-groups (AWS CLI)
Get-EC2StaleSecurityGroup (AWS Tools for Windows PowerShell)
DescribeStaleSecurityGroups (Amazon EC2 Query API)

In the following example, VPC A (vpc-aaaaaaaa) and VPC B were peered, and the VPC peering connection was deleted. Your security group sg-aaaa1111 in VPC A references sg-bbbb2222 in VPC B. When you run the describe-stale-security-groups command for your VPC, the response indicates that security group sg-aaaa1111 has a stale SSH rule that references sg-bbbb2222.


aws ec2 describe-stale-security-groups --vpc-id vpc-aaaaaaaa


{
    "StaleSecurityGroupSet": [
        {
            "VpcId": "vpc-aaaaaaaa", 
            "StaleIpPermissionsEgress": [], 
            "GroupName": "Access1", 
            "StaleIpPermissions": [
                {
                    "ToPort": 22, 
                    "FromPort": 22, 
                    "UserIdGroupPairs": [
                        {
                            "VpcId": "vpc-bbbbbbbb", 
                            "PeeringStatus": "deleted", 
                            "UserId": "123456789101", 
                            "GroupName": "Prod1", 
                            "VpcPeeringConnectionId": "pcx-b04deed9", 
                            "GroupId": "sg-bbbb2222"
                        }
                    ], 
                    "IpProtocol": "tcp"
                }
            ], 
            "GroupId": "sg-aaaa1111", 
            "Description": "Reference remote SG"
        }
    ]
}

After you've identified the stale security group rules, you can delete them using the revoke-security-group-ingress or revoke-security-group-egress commands.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Update route tables

Modify peering options