Associate security groups with multiple VPCs
If you have workloads running in multiple VPCs that share network security requirements, you can use the Security Group VPC Associations feature to associate a security group with multiple VPCs in the same Region. This enables you to manage and maintain security groups in one place for multiple VPCs in your account.
The diagram above shows AWS account A with two VPCs in it. Each of the VPCs has workloads running in a private subnet. In this case, workloads in VPC A and B subnets share the same network traffic requirements, so Account A can use the Security Group VPC associations feature to associate the security group in VPC A with VPC B. Any updates made to the associated security group are automatically applied to the traffic to workloads in the VPC B subnet.
Requirements of the Security Group VPC Associations feature
-
You must own the VPC or have one of the VPC subnets shared with you to associate a security group with the VPC.
-
The VPC and security group must be in the same AWS Region.
-
You can only use this feature with non-default security groups.
-
You cannot use this feature with a security group that’s created in a default VPC. You can only use this feature with security groups that are associated with non-default VPCs.
-
Both the security group owner and the VPC owner can view the security group VPC associations.
Services that support this feature
-
Amazon API Gateway (REST APIs only)
-
AWS Auto Scaling
-
AWS CloudFormation
-
Amazon EC2
-
Amazon EFS
-
Amazon EKS
-
Amazon FSx
AWS PrivateLink
-
Amazon Route 53
Elastic Load Balancing
Application Load Balancer
Network Load Balancer
Associate a security group with another VPC
This section explains how to use the AWS Management Console and the AWS CLI to associate a security group with VPCs.
The VPC is now associated with the security group.
Once you’ve associated the VPC with the security group, you can, for example, launch an instance into the VPC and choose this new security group or reference this security group in an existing security group rule.
Disassociate a security group from another VPC
This section explains how to use the AWS Management Console and the AWS CLI to disassociate a security group from VPCs. You may want to do this if your goal is to delete the security group. Security groups cannot be deleted if they are associated. You can only diassociate a security group if there are no network interfaces in the associated VPC using that security group.
The VPC is now disassociated with the security group.