Skip to main content



Cisco Defense Orchestrator

Create a Security Group Rule

By default, Amazon Web Services (AWS) Virtual Private Cloud (VPC) blocks all network traffic. This means that any rules are automatically configured to Allow traffic. You cannot edit this action.

Note: When you create a new security group rule you must associate it with a security group.

The AWS console does not support rules that contain more than one source or destination. This means that if you define more than one entity within a single security group rule in CDO and deploy, CDO translates the rule into separate rules before deploying it to the AWS VPC.
For example, if you create an inbound rule that allows traffic from two port ranges into one cloud security group object, CDO translates it into two separate rules: (1) to allow traffic from the first port range to the security group and (2) to allow traffic from the second port range to the security group. 

Use this procedure to create a security group rule:

  1. Open the Devices & Services page.
  2. Select the AWS VPC  device template whose access control policy you want to edit. 
  3. In the Management pane at the right, select policy_shield_icon.png Policy.
  4. Click the blue plus button cli_create_plus.png next to the security group you wish to add the rule to.
  5. Click Inbound or Outbound
  • Inbound rules - The source network can contain one or multiple IPv4 addresses, IPv6 addresses, or cloud security group objects. The destination network must be defined as a single cloud security group object.
  • Outbound rules - The source network must be defined as a single cloud security group object. The destination network can contain one or multiple IPv4 addresses, IPv6 addresses, or security group objects
  1. Enter the rule name. You can use alphanumeric characters, spaces, and these special characters: + . _ -
  2. Define the traffic matching criteria by using any combination of attributes in the following tabs:
  • Source - Click the Source tab and add or remove networks (which includes networks and continents). You cannot define a port or port range as the source. 
  • Destination - Click the Destination tab and add or remove networks (which includes networks and continents), or ports on which the traffic arrives. The default value is "Any."
    • Note: If no network object is defined, it will be translated into two rules in the AWS Console: one for IPv4 ( and one for IPv6 (::0/0)
  1. Click Save.
  2. Return to the the Devices & Services page and you should see that the configuration status of the device you made changes to is now "Not synced."
  3. Select the device and in the device details pane at the right, and click Preview and Deploy... 
  4. On the Pending Changes screen, review the changes:
  • Red rows indicate that something was deleted, green rows indicate something was added, and blue rows indicate that something was modified in the AWS VPC policy on CDO. The Pending Changes screen also shows when the last deployment was made from CDO to the AWS VPC and who made it. The Pending Changes sceen does not show when out-of-band changes were performed. 
  • Changes are grouped by type. In this example there would be three changes, two of which were to create objects and one was to create an access rule. Clicking the change type jumps you to that section of the pending changes record. 
  • The Deployed Version column shows the device's configuration prior to the change. The Pending Version column shows the change you are about to deploy to the AWS VPC. In this example, because we created everything, the Deployed Version field would be empty and the Pending Version column would have the description of the change you are about to make. 
  1. If you are satisfied with the pending version, click Deploy Now. After the changes are deployed successfully, you can view the change log to confirm what just happened.

Caution: If the deployment fails, CDO attempts to return the state of the AWS VPC to what it was before you made the deployment attempt. This is done on a "best effort" basis. Because AWS doesn't maintain a state, this rollback attempt could fail. In that case, you will have to log in to the AWS management console and manually return the AWS VPC to its previous configuration and then read the AWS VPC device configuration back to CDO. 


Related Articles:

  • Was this article helpful?