Create a Security Group Rule

By default, Amazon Web Services (AWS) Virtual Private Cloud (VPC) blocks all network traffic. As a result, any rules are automatically configured to Allow traffic. You cannot edit this action.

Note

When you create a new security group rule, you must associate it with a security group.

The AWS console does not support rules that contain more than one source or destination. This means that if you deploy a single security group rule that contains more than one entity, Security Cloud Control converts the rule into separate rules before deploying it to the AWS VPC. For example, if you create an inbound rule that allows traffic from two port ranges into one cloud security group object, Security Cloud Control converts it into two separate rules. One allows traffic from the first port range to the security group, and the other allows traffic from the second port range to the security group.

Use this procedure to create a security group rule:

Procedure

Step 1

Choose Security Devices.

Step 2

Click the Template tab.

Step 3

Click the AWS tab, and select the AWS VPC device template whose access control policy you want to edit.

Step 4

In the Management pane, select Policy.

Step 5

Click the blue plus button next to the security group you wish to add the rule to.

Add icon.

Step 6

Click Inbound or Outbound.

Inbound rules: The source network can contain one or multiple IPv4 addresses, IPv6 addresses, or cloud security group objects. The destination network must be defined as a single cloud security group object.

Outbound rules: The source network must be defined as a single cloud security group object. The destination network can contain one or multiple IPv4 addresses, IPv6 addresses, or security group objects.

Step 7

Enter the rule name. You can use alphanumeric characters, spaces, and the special characters plus, period, underscore, and hyphen.

Step 8

Define the traffic matching criteria by using any combination of attributes in the following tabs.

Source : Click the Source tab and add or remove networks (which includes networks and continents). You cannot define a port or port range as the source.

Destination: Click the Destination tab and add or remove networks (which includes networks and continents), or ports on which the traffic arrives. The default value is "Any."

Note

If no network object is defined, it will be translated into two rules in the AWS Console: one for IPv4 (0.0.0.0/0) and one for IPv6 (::0/0).

Step 9

Click Save.

Step 10

Review and deploy the changes you made immediately, or wait and deploy multiple changes at once.

Caution

If the deploy fails, Security Cloud Control tries to restore the AWS VPC to its previous state. This is done on a "best-effort" basis. Because AWS does not maintain a "state," this rollback attempt might fail. If this happens, log in to the AWS management console and manually restore the AWS VPC configuration and then read the changes into Security Cloud Control.