How do I use my own security group for my load balancer when I deploy an AWS Elastic Beanstalk application?

Short description

Elastic Beanstalk creates a default security group for your load balancer. You can override this default behavior if you have an existing security group (also called a ManagedSecurityGroup) that you want to attach to your load balancer. To prevent Elastic Beanstalk from creating a default security group, you must add one or more configuration files to a .ebextensions directory. The directory is in your application deployment package.

Important: The following steps apply only to Application Load Balancers and Classic Load Balancers. Network Load Balancers don't have an associated security group.

Resolution

Use .ebextensions to instruct the Elastic Beanstalk service to attach an existing security group to your load balancer. Then, remove the default security group that Elastic Beanstalk creates for you.

1.    Confirm that you have an existing security group for Elastic Beanstalk to use. Or, create a new security group for the load balancer in your Elastic Beanstalk environment.

2.    Note the ID of your security group. For example: sg-123456

3.    Create a .ebextensions/ directory in your local application code directory.

Note: For more information, see Advanced environment customization with configuration files (.ebextensions).

4.    In the .ebextensions/ directory, create a file named elbsg.config. For example:

~/workspace/my-app/
├── .ebextensions
│   ├── elbsg.config
├── helloworld

Note: For more information, see Advanced environment customization with configuration files (.ebextensions).

5.    Update the elbsg.config file based on the load balancer type of your Elastic Beanstalk environment.

To create a new environment or update an existing environment with a Classic Load Balancer, use the SecurityGroups setting to override the default security group. For example:

option_settings:
 aws:elb:loadbalancer:
  ManagedSecurityGroup: "sg-123456"
  SecurityGroups: "sg-123456"

To create a new environment or update an existing environment with an Application Load Balancer, use the SecurityGroups setting to override the default security group. For example:

option_settings:
 aws:elbv2:loadbalancer:
  ManagedSecurityGroup: "sg-123456"
  SecurityGroups: "sg-123456"

Note: In the preceding examples, replace sg-123456 with your security group and managed security group. The preceding .ebextensions are in YAML format. Be sure to validate the YAML formatting.

6.    Deploy your code and the new .ebextensions/ directory together as a new application version in your Elastic Beanstalk environment.

After deployment, your security group is attached to the load balancer. Your environment and load balancer are now using your existing security group instead of the default load balancer security group.

Related information

Configuring Elastic Beanstalk environments

aws:elb:loadbalancer

aws:elbv2:loadbalancer