5

I have several IP's and I want add access from exactly those IP's to some security groups. Is there way to declare the IP's once and reuse them in security groups instead of declare those IP's on each security group?

Roy Shmuli
  • 4,979
  • 1
  • 24
  • 38

2 Answers2

3

There is no way to do an "include" in a security group, including a list of rules by reference.

However, by default, each instance can be a member of up to five security groups, so one common solution is to make each instance a member of two security groups -- one for common rules, and another for rules that are more specific and not shared across all the instances.

This was not possible for many years, but AWS announced the availability of managed prefix lists in 2020.

A managed prefix list is a set of one or more CIDR blocks. You can use prefix lists to make it easier to configure and maintain your security groups and route tables. You can create a prefix list from the IP addresses that you frequently use, and reference them as a set in security group rules and routes instead of referencing them individually.

https://docs.aws.amazon.com/vpc/latest/userguide/managed-prefix-lists.html

Note that it is possible to use a security group ID instead of an IP address in a security group rule, but this has nothing to do with the rules in the referenced group -- it is not an "include." An inbound rule listing a security group ID allows inbound traffic from instances that are members of the listed group. It does not cause a security group to follow any of the rules in the other group.

Michael - sqlbot
  • 169,571
  • 25
  • 353
  • 427
3

The accepted answer is no longer true, you can use Prefix Lists to achieve that.

https://docs.aws.amazon.com/vpc/latest/userguide/managed-prefix-lists.html

Edmundo Santos
  • 8,006
  • 3
  • 28
  • 38