Skip to main content



Cisco Defense Orchestrator

Create a Security Group Rule

By default, Amazon Web Services (AWS) Virtual Private Cloud (VPC) blocks all network traffic. This means that any rules are automatically configured to Allow traffic. You cannot edit this action.

Note: When you create a new security group rule you must associate it with a security group.

The AWS console does not support rules that contain more than one source or destination. This means that if you deploy a single security group rule that contains more than one entity, CDO translates the rule into separate rules before deploying it to the AWS VPC.
For example, if you create an inbound rule that allows traffic from two port ranges into one cloud security group object, CDO translates it into two separate rules: (1) to allow traffic from the first port range to the security group and (2) to allow traffic from the second port range to the security group. 

Use this procedure to create a security group rule:

  1. Open the Devices & Services page.
  2. Select the AWS VPC  device template whose access control policy you want to edit. 
  3. In the Management pane at the right, select policy_shield_icon.png Policy.
  4. Click the blue plus button cli_create_plus.png next to the security group you wish to add the rule to.
  5. Click Inbound or Outbound
  • Inbound rules - The source network can contain one or multiple IPv4 addresses, IPv6 addresses, or cloud security group objects. The destination network must be defined as a single cloud security group object.
  • Outbound rules - The source network must be defined as a single cloud security group object. The destination network can contain one or multiple IPv4 addresses, IPv6 addresses, or security group objects
  1. Enter the rule name. You can use alphanumeric characters, spaces, and these special characters: + . _ -
  2. Define the traffic matching criteria by using any combination of attributes in the following tabs:
  • Source - Click the Source tab and add or remove networks (which includes networks and continents). You cannot define a port or port range as the source. 
  • Destination - Click the Destination tab and add or remove networks (which includes networks and continents), or ports on which the traffic arrives. The default value is "Any."
    • Note: If no network object is defined, it will be translated into two rules in the AWS Console: one for IPv4 ( and one for IPv6 (::0/0)
  1. Click Save.
  2. Review and deploy now the changes you made, or wait and deploy multiple changes at once. 

Caution: If the deploy fails, CDO attempts to return the state of the AWS VPC to what it was before you made the deployment attempt. This is done on a "best effort" basis. Because AWS doesn't maintain a state, this rollback attempt could fail. In that case, you will have to log in to the AWS management console and manually return the AWS VPC to its previous configuration and then read the changes into CDO. 

Related Articles:

  • Was this article helpful?