How do I use my own security group for my load balancer when I deploy an AWS Elastic Beanstalk application?

Last updated: 2020-03-16

I want to create a load-balanced, auto-scaling environment type for my AWS Elastic Beanstalk application and specify my own security group for my load balancer.

Short Description

Elastic Beanstalk creates a default security group for your load balancer. You can override this default behavior if you have an existing security group (also called a ManagedSecurityGroup) that you want to attach to your load balancer. To prevent Elastic Beanstalk from creating a default security group, you must add one or more configuration files to a .ebextensions directory in your application deployment package.

Important: The following steps apply only to Application Load Balancers and Classic Load Balancers. Network Load Balancers don't have associated security groups.

Resolution

Use .ebextensions to instruct the Elastic Beanstalk service to attach an existing security group to your load balancer. Then, remove the default security group that Elastic Beanstalk created for you.

1.    Confirm that you have an existing security group for Elastic Beanstalk to use. Or, create a new security group for the load balancer in your Elastic Beanstalk environment.

2.    Note the ID of your security group (For example: sg-123456).

3.    Create a .ebextensions/ directory in your local application code directory.

Note: For more information, see Advanced environment customization with configuration files (.ebextensions).

4.    In the .ebextensions/ directory, create a file named elbsg.config.

5.    Update the elbsg.config file based on the load balancer type that you have for your Elastic Beanstalk environment.

For the Classic Load Balancer type, make the following update:

option_settings:
    aws:elb:loadbalancer:
        ManagedSecurityGroup: "sg-123456"

If you're updating an existing environment with a Classic Load Balancer, use the SecurityGroups setting to remove the default security group. See the following example:

option_settings:
    aws:elb:loadbalancer:
    	ManagedSecurityGroup: "sg-123456"
        SecurityGroups: "sg-123456"

For the Application Load Balancer type, make the following update:

option_settings:
    aws:elbv2:loadbalancer:
        ManagedSecurityGroup: "sg-123456"

If you're updating an existing environment with an Application Load Balancer, use the SecurityGroups setting to remove the default security group. See the following example:

option_settings:
    aws:elbv2:loadbalancer:
    	ManagedSecurityGroup: "sg-123456"
        SecurityGroups: "sg-123456"

Note: You can use the SecurityGroups setting to add additional security groups to the load balancer.

6.    Deploy your code and the new .ebextensions/ directory together as a new application version in your Elastic Beanstalk environment.

After deployment, your security group is attached to the load balancer. Your environment and load balancer are now successfully using your existing security group instead of the default load balancer security group.


Did this article help you?

Anything we could improve?


Need more help?