Update your security groups to reference peer security groups
You can update the inbound or outbound rules for your VPC security groups to reference security groups in the peered VPC. Doing so allows traffic to flow to and from instances that are associated with the referenced security group in the peered VPC.
Requirements
-
The peer VPC can be a VPC in your account, or a VPC in another AWS account. To reference a security group in another AWS account, include the account number in Source or Destination field; for example,
123456789012/sg-1a2b3c4d
. -
You cannot reference the security group of a peer VPC that's in a different Region. Instead, use the CIDR block of the peer VPC.
-
To reference a security group in a peer VPC, the VPC peering connection must be in the
active
state. -
If you configure routes to forward the traffic between two instances in different subnets through a middlebox appliance, you must ensure that the security groups for both instances allow traffic to flow between the instances. The security group for each instance must reference the private IP address of the other instance, or the the CIDR range of the subnet that contains the other instance, as the source. If you reference the security group of the other instance as the source, this does not allow traffic to flow between the instances.
To update your security group rules using the console
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
. -
In the navigation pane, choose Security groups.
-
Select the security group, and choose Actions, Edit inbound rules to modify the inbound rules or choose Actions, Edit outbound rules to modify the outbound rules.
-
To add a rule, choose Add rule and specify the type, protocol, and port range. For Source (inbound rule) or Destination (outbound rule), enter the ID of the security group in the peer VPC if it is in the same Region or the CIDR block of the peer VPC if it is in a different Region.
Note
Security groups in a peer VPC are not automatically displayed.
-
To edit an existing rule, change its values (for example, the source or the description).
-
To delete a rule, choose Delete next to the rule.
-
Choose Save rules.
To update inbound rules using the command line
-
authorize-security-group-ingress (AWS CLI)
-
Grant-EC2SecurityGroupIngress (AWS Tools for Windows PowerShell)
-
Revoke-EC2SecurityGroupIngress (AWS Tools for Windows PowerShell)
-
revoke-security-group-ingress (AWS CLI)
To update outbound rules using the command line
-
authorize-security-group-egress (AWS CLI)
-
Grant-EC2SecurityGroupEgress (AWS Tools for Windows PowerShell)
-
Revoke-EC2SecurityGroupEgress (AWS Tools for Windows PowerShell)
-
revoke-security-group-egress (AWS CLI)
For example, to update your security group sg-aaaa1111
to allow inbound access
over HTTP from sg-bbbb2222
that's in a peer VPC, you can use the following
AWS CLI command:
aws ec2 authorize-security-group-ingress --group-id
sg-aaaa1111
--protocol tcp --port80
--source-groupsg-bbbb2222
After you've updated the security group rules, use the describe-security-groups command to view the referenced security group in your security group rules.
Identify your referenced security groups
To determine if your security group is being referenced in the rules of a security group in a peer VPC, use one of the following commands for one or more security groups in your account.
-
describe-security-group-references (AWS CLI)
-
Get-EC2SecurityGroupReference (AWS Tools for Windows PowerShell)
-
DescribeSecurityGroupReferences (Amazon EC2 Query API)
In the following example, the response indicates that security group
sg-bbbb2222
is being referenced by a security group in VPC
vpc-aaaaaaaa
:
aws ec2 describe-security-group-references --group-id
sg-bbbb2222
{
"SecurityGroupsReferenceSet": [
{
"ReferencingVpcId": "vpc-aaaaaaaa",
"GroupId": "sg-bbbb2222",
"VpcPeeringConnectionId": "pcx-b04deed9"
}
]
}
If the VPC peering connection is deleted, or if the owner of the peer VPC deletes the referenced security group, the security group rule becomes stale.
Work with stale security group rules
A stale security group rule is a rule that references a deleted security group in the same VPC or in a peer VPC, or that references a security group in a peer VPC for which the VPC peering connection has been deleted. When a security group rule becomes stale, it's not automatically removed from your security group—you must manually remove it. If a security group rule is stale because the VPC peering connection was deleted, the rule will no longer be marked as stale if you create a new VPC peering connection with the same VPCs.
You can view and delete the stale security group rules for a VPC using the Amazon VPC console.
To view and delete stale security group rules
Open the Amazon VPC console at https://console.aws.amazon.com/vpc/
. -
In the navigation pane, choose Security groups.
-
Choose Actions, Manage stale rules.
-
For VPC, choose the VPC with the stale rules.
-
Choose Edit.
-
Choose the Delete button next to the rule that you want to delete. Choose Preview changes, Save rules.
To describe your stale security group rules using the command line or an API
-
describe-stale-security-groups (AWS CLI)
-
Get-EC2StaleSecurityGroup (AWS Tools for Windows PowerShell)
-
DescribeStaleSecurityGroups (Amazon EC2 Query API)
In the following example, VPC A (vpc-aaaaaaaa
) and VPC B were peered,
and the VPC peering connection was deleted. Your security group
sg-aaaa1111
in VPC A references sg-bbbb2222
in VPC B.
When you run the describe-stale-security-groups
command for your VPC,
the response indicates that security group sg-aaaa1111
has a stale SSH
rule that references sg-bbbb2222
.
aws ec2 describe-stale-security-groups --vpc-id
vpc-aaaaaaaa
{
"StaleSecurityGroupSet": [
{
"VpcId": "vpc-aaaaaaaa",
"StaleIpPermissionsEgress": [],
"GroupName": "Access1",
"StaleIpPermissions": [
{
"ToPort": 22,
"FromPort": 22,
"UserIdGroupPairs": [
{
"VpcId": "vpc-bbbbbbbb",
"PeeringStatus": "deleted",
"UserId": "123456789101",
"GroupName": "Prod1",
"VpcPeeringConnectionId": "pcx-b04deed9",
"GroupId": "sg-bbbb2222"
}
],
"IpProtocol": "tcp"
}
],
"GroupId": "sg-aaaa1111",
"Description": "Reference remote SG"
}
]
}
After you've identified the stale security group rules, you can delete them using the revoke-security-group-ingress or revoke-security-group-egress commands.