Skip to content

Instantly share code, notes, and snippets.

@alanwill

alanwill/aws-cfn-self-referencing-sg.json

Last active January 18, 2024 17:00
Show Gist options
  • Save alanwill/9254414 to your computer and use it in GitHub Desktop.
Save alanwill/9254414 to your computer and use it in GitHub Desktop.
Download ZIP
AWS CloudFormation example that allows a security group rule to reference the same security group as the source.
Raw
aws-cfn-self-referencing-sg.json
{
"Description": "Create a VPC with a SG which references itself",
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"vpctester": {
"Type": "AWS::EC2::VPC",
"Properties": {
"CidrBlock": "172.16.0.0/23",
"EnableDnsSupport": false,
"EnableDnsHostnames": false,
"InstanceTenancy": "default",
"Tags": [ { "Key": "Name", "Value": "vpctester" } ]
}
},
"sgtester": {
"Type": "AWS::EC2::SecurityGroup",
"DependsOn": "vpctester",
"Properties": {
"GroupDescription": "vpc tester sg",
"VpcId": { "Ref": "vpctester" }
}
},
"sgtesteringress": {
"Type": "AWS::EC2::SecurityGroupIngress",
"DependsOn": "sgtester",
"Properties": {
"GroupId": { "Ref": "sgtester" },
"IpProtocol": "tcp",
"FromPort": "0",
"ToPort": "65535",
"SourceSecurityGroupId": { "Ref": "sgtester" }
}
}
}
}
@mdalvi
Copy link

mdalvi commented Jul 21, 2020
edited

What does it mean to ingress on the self-security group? What does it do security-wise?

@john-aws
Copy link

What does it mean to ingress on the self-security group? What does it do security-wise?

It allows compute nodes in that security group to communicate with other compute nodes in the same security group.

@john-aws
Copy link

And the (untested) YAML equivalent:

Description: Create a VPC with a SG which references itself
AWSTemplateFormatVersion: '2010-09-09'
Resources:
  vpctester:
    Type: AWS::EC2::VPC
    Properties:
      CidrBlock: 172.16.0.0/23
      EnableDnsSupport: false
      EnableDnsHostnames: false
      InstanceTenancy: default
      Tags:
      - Key: Name
        Value: vpctester
  sgtester:
    Type: AWS::EC2::SecurityGroup
    DependsOn: vpctester
    Properties:
      GroupDescription: vpc tester sg
      VpcId: !Ref vpctester
  sgtesteringress:
    Type: AWS::EC2::SecurityGroupIngress
    DependsOn: sgtester
    Properties:
      GroupId: !Ref sgtester
      IpProtocol: tcp
      FromPort: 0
      ToPort: 65535
      SourceSecurityGroupId: !Ref sgtester

@saumilsdk
Copy link

How to give all protocols?

@john-aws
Copy link

john-aws commented Feb 2, 2021
edited

@saumilsdk See the IpProtocol documentation:

Use -1 to specify all protocols.

@SwathiKanduri
Copy link

can you help me understand the difference between groupId and sourceSecurityGroupId?

Also, consider for eg, I have an ec2 bastion host, I have an RDS in the private subnet. I want to create a security group on ec2 that allows all inbound ssh traffic through the Internet gateway. I have another security group on RDS that allows inbound traffic from ec2 bastion. How can I do this? should I use sourceSecuritygroupId:<id of ec2's SG> in the ingress of RDS's security group?

@john-aws
Copy link

john-aws commented Apr 1, 2021

@SwathiKanduri the groupId relates to the security group for which this AWS::EC2::SecurityGroupIngress resource is actually an ingress rule. The sourceSecurityGroupId relates to the security group which we want to allow inbound traffic from. In this case they both refer to sgtester because this is a self-referencing security group, but in the general case sourceSecurityGroupId would refer to some other security group that we want to allow inbound traffic from.

@rverma-ccs
Copy link

Thanks, it was helpful

@jjeanjacques10
Copy link

Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment