Durch die Nutzung von AWS re:Post stimmt du den AWS re:Post Nutzungsbedingungen
AWS re:Postre:Post

Bulk adding rules to a security group

0

I need to add multiple rules to a new security group, around 130 rules to be specific, spread across 7 port ranges. These rules are already in IP ranges and ports are in ranges too, hence I cannot use prefix method. Is there any way I could bulk add the rules to security group/s?

I have heard it could be possible through CLI but wasn't able to get any guides to do the same for this process.

  • Gary Mclean EXPERTE
    vor 8 Monaten

    NOTE.. Maximum number of rules For an account with the default quota of 60 rules, a security group can have 60 inbound rules for IPv4 traffic and 60 inbound rules for IPv6 traffic. For more information, see Security group size. A quota change applies to both inbound and outbound rules. This quota multiplied by the quota for security groups per network interface cannot exceed 1,000.

Themen
Vernetzung & Bereitstellung von InhaltenManagement & UnternehmensführungAWS Framework mit guter Struktur
Tags
Amazon VPCAWS Management ConsoleVernetzung & Bereitstellung von InhaltenSicherheitSicherheitsgruppe
Sprache
English
Akash
gefragt vor 8 Monaten895 Aufrufe
2 Antworten
1

Hello.

Yes, you can use the AWS Command Line Interface (CLI) to bulk add rules to an EC2 security group. To achieve this, you can use a combination of a script and the aws ec2 authorize-security-group-ingress command.

Create .csv file with all rules like

protocol,from_port,to_port,cidr
tcp,80,80,192.168.1.0/24
tcp,443,443,10.0.0.0/16
...

run script:

#!/bin/bash

SECURITY_GROUP_ID="YOUR_SECURITY_GROUP_ID"

while IFS=, read -r protocol from_port to_port cidr
do
    echo "Adding rule: Protocol: $protocol, From Port: $from_port, To Port: $to_port, CIDR: $cidr"
    aws ec2 authorize-security-group-ingress \
        --group-id $SECURITY_GROUP_ID \
        --protocol $protocol \
        --port $from_port-$to_port \
        --cidr $cidr
done < rules.csv

This script only handles inbound rules (authorize-security-group-ingress). If you also need to bulk add outbound rules, you'll need a similar script but use authorize-security-group-egress.

Best regards, Andrii

profile picture
EXPERTE
Andrii S
beantwortet vor 8 Monaten
profile picture
EXPERTE
Oleksii Bebych
überprüft vor 7 Tagen
profile picture
EXPERTE
Gary Mclean
überprüft vor 8 Monaten
1

Hi,

I'd strongly suggest to use the AWS version of Infra-as-Code, which is CloudFormation (CFN), to create such sophisticated security group(s): https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html

When you have your definitions in your CFN template , you can re-use it in multiple stacks and accounts, with no effort.

Personally, I try to define 100% of my infra resources via CFN: it's an initial investment but you recoup it very rapidly when you need to recreate same definitions again and again.

Best,

Didier

profile pictureAWS
EXPERTE
Didier_Durand
beantwortet vor 8 Monaten
profile picture
EXPERTE
Gary Mclean
überprüft vor 8 Monaten

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen

Relevanter Inhalt