MistOnline

AWS

How to copy AWS Security Group rules to different region

Oct 16, 2023

This is a quick tutorial on how to move a Security group along with each rule description which is huge and impossible to copy paste to a different region.

Note that AWS already have an option to copy security groups within same region (at the time of writing this tutorial).

I am going to use CloudShell – AWS CloudShell, a browser-based shell, you can quickly run scripts with the AWS Command Line Interface (CLI), experiment with service APIs using the AWS CLI. We really don’t have to configure any AWS CLI on your server / environment. Just login to the AWS console and click on the Cloudshell icon towards the bottom left footer bar.

Here we are going to look in to details on,

Existing Security Group

In my case I wanted to transfer a security group which is having more than 50 different IP address (both IPV4 and IPV6) ingress rules along with description of each rule from Northern Virginia to Mumbai. This is going to be a time taking task (doable) if I have to manually add them. Another method is to use CloudFormation but since I am not using CloudFormation in my environment, didn’t wanted to go that route. You don’t really need to have AWS CLI skill to run this since CloudShell is AWS CLI ready and all you have to do is copy paste my commands and replace the Security Group IDs and other details with your requirement.

Use describe-security-groups API

For this login to the CloudShell interface – In the AWS console page just click on the footer link which says CloudShell. In my case I am logged in to Northern Virginia(US-East-1)

Run the command below to describe the security group rules, replace group id with your own.

[cloudshell-user@ip-10-2-103-38 ~]$ aws ec2 describe-security-groups --query 'SecurityGroups[*].[IpPermissions][][]' --group-id sg-09617118849cec9b0

The above comment will show you all the rules you have for this security group. Now assuming that this is the same security group you would like to copy to the other region do the below.

Let us dump the rules to a json file named sg_data_dump.json. 

[cloudshell-user@ip-10-2-103-38 ~]$ aws ec2 describe-security-groups --query 'SecurityGroups[*].[IpPermissions][][]' --group-id sg-09617118849cec9b0  > sg_data_dump.json

Authorize Security Group Ingress to another region

Now that we have all rules from the security group saved to json file sg_data_dump.json. The next step is to run authorize-security-group-ingress CLI to add rules to the security group in the other region.

Security group ID in my destination region ap-south-1 is sg-06b359f25a796fef8.

You can create new security group using console and get the security group ID from there or use any existing security group.

Take a backup (using copy option in Console [Select the SG , Action > copy to new security group] option already available for same region) of the destination security group just in case before running the call below. Replace –region with your intended region.

Verify security group limits – https://docs.aws.amazon.com/vpc/latest/userguide/amazon-vpc-limits.html#vpc-limits-security-groups

[cloudshell-user@ip-10-2-103-38 ~]$ aws ec2 authorize-security-group-ingress --group-id sg-06b359f25a796fef8 --region ap-south-1 --ip-permissions "file://sg_data_dump.json"

Your output should be something like this (truncated). It will be big depending upon the number of rules you authorized.

{
    "Return": true,
    "SecurityGroupRules": [
        {
            "SecurityGroupRuleId": "sgr-005719ba04fbfcde3",
            "GroupId": "sg-06b359f25a796fef8",
            "GroupOwnerId": "xxx",
            "IsEgress": false,
            "IpProtocol": "tcp",
            "FromPort": 80,
            "ToPort": 80,
            "CidrIpv4": "103.22.200.0/22",
            "Description": "Cloudflare IP"
        },
        {
            "SecurityGroupRuleId": "sgr-00efeb837c87fb0c2",
            "GroupId": "sg-06b359f25a796fef8",
            "GroupOwnerId": "xx",
            "IsEgress": false,
            "IpProtocol": "tcp",
            "FromPort": 80,
            "ToPort": 80,
            "CidrIpv4": "173.245.48.0/20",
            "Description": "Cloudflare IP"
        },
        {

If you get an error similar to the one below stating that some rule already exist then please remove it and re-run the above command.

An error occurred (InvalidPermission.Duplicate) when calling the AuthorizeSecurityGroupIngress operation: the specified rule "peer: xx.xxx.xx.xx/32, TCP, from port: 22, to port: 22, ALLOW" already exists

Related Tutorials:

Related Post

AWS kubernetes

How to launch AWS EKS Cluster and connect to EFS using PHP

admin Mar 19, 2024
AWS

How to send and receive custom event using AWS EventBridge

admin Sep 6, 2023
AWS

How to generate signed URL using CloudFront and secure S3 objects access

admin Sep 1, 2023

Leave a Reply

Your email address will not be published. Required fields are marked *