Skip to main content



Cisco Defense Orchestrator

AWS VPC Security Groups Rules

AWS security groups are a collection of rules that govern inbound and outbound network traffic to all the AWS EC2 instances, and other entities, associated with the security group. 

Similar to the Amazon Web Services (AWS) console, CDO displays each rule individually. As long as your SDC has access to the Internet, you can create and manage AWS Virtual Private Cloud (VPC) rules for the following environments:

  • A security group allowing information to or from another security group within the same AWS VPC. 
  • A security group allowing to or from an IPv4 or IPv6 address. 

When creating a rule in CDO that contains an AWS security group, keep the following limitations in mind:

  • For a rule allowing inbound traffic, the source can be one or more security group objects in the same AWS VPC, an IPv4 or IPv6 CIDR block, or a single IPv4 or IPv6 address. Inbound rules can only have one security group object as the destination. 
  • For a rule allowing outbound traffic, the destination can be one or more security group objects in the same AWS VPC, a prefix list ID, an IPv4 or IPv6 CIDR block, a single IPv4 or IPv6 address. Outbound rules can only have one security group object as the source. 
  • CDO translates rules that contain multiple entities, such as more than one port or subnet, into separate rules before deploying them to an AWS VPC. 
  • When you add or remove rules, the changes are automatically applied to all AWS entities associated with the security group.
  • An AWS security group is limited to hosting a maximum of 60 inbound rules and 60 outbound rules. This limit is enforced separately for IPv4 rules and IPv6 rules; any additional rules created in CDO are inclusive to the total number of rules. In short, you cannot exceed the 60 rule limitation by onboarding to CDO. 

Warning: Any edits made to existing rules will result in the edited rule being deleted and a new rule created with the new details. This will cause traffic that depends on that rule to be dropped for a very brief period of time until the new rule can be created. This does not occur if you create a brand new rule. 

If you need more information on the types of rules you can create from the AWS console, see AWS VPC Security Group Rules. See AWS Security Group Object for more information on objects that can be associated with AWS VPCs.

Related Articles

  • Was this article helpful?