By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Bulk adding rules to a security group

0

I need to add multiple rules to a new security group, around 130 rules to be specific, spread across 7 port ranges. These rules are already in IP ranges and ports are in ranges too, hence I cannot use prefix method. Is there any way I could bulk add the rules to security group/s?

I have heard it could be possible through CLI but wasn't able to get any guides to do the same for this process.

  • Gary Mclean EXPERT
    7 months ago

    NOTE.. Maximum number of rules For an account with the default quota of 60 rules, a security group can have 60 inbound rules for IPv4 traffic and 60 inbound rules for IPv6 traffic. For more information, see Security group size. A quota change applies to both inbound and outbound rules. This quota multiplied by the quota for security groups per network interface cannot exceed 1,000.

Topics
Networking & Content DeliveryManagement & GovernanceAWS Well-Architected Framework
Tags
Amazon VPCAWS Management ConsoleNetworking & Content DeliverySecuritySecurity Group
Language
English
Akash
asked 7 months ago739 views
2 Answers
1

Hi,

I'd strongly suggest to use the AWS version of Infra-as-Code, which is CloudFormation (CFN), to create such sophisticated security group(s): https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-security-group.html

When you have your definitions in your CFN template , you can re-use it in multiple stacks and accounts, with no effort.

Personally, I try to define 100% of my infra resources via CFN: it's an initial investment but you recoup it very rapidly when you need to recreate same definitions again and again.

Best,

Didier

profile pictureAWS
EXPERT
Didier_Durand
answered 7 months ago
profile picture
EXPERT
Gary Mclean
reviewed 7 months ago
0

Hello.

Yes, you can use the AWS Command Line Interface (CLI) to bulk add rules to an EC2 security group. To achieve this, you can use a combination of a script and the aws ec2 authorize-security-group-ingress command.

Create .csv file with all rules like

protocol,from_port,to_port,cidr
tcp,80,80,192.168.1.0/24
tcp,443,443,10.0.0.0/16
...

run script:

#!/bin/bash

SECURITY_GROUP_ID="YOUR_SECURITY_GROUP_ID"

while IFS=, read -r protocol from_port to_port cidr
do
    echo "Adding rule: Protocol: $protocol, From Port: $from_port, To Port: $to_port, CIDR: $cidr"
    aws ec2 authorize-security-group-ingress \
        --group-id $SECURITY_GROUP_ID \
        --protocol $protocol \
        --port $from_port-$to_port \
        --cidr $cidr
done < rules.csv

This script only handles inbound rules (authorize-security-group-ingress). If you also need to bulk add outbound rules, you'll need a similar script but use authorize-security-group-egress.

Best regards, Andrii

profile picture
EXPERT
Andrii S
answered 7 months ago
profile picture
EXPERT
Gary Mclean
reviewed 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content