How do I use my own security group for my load balancer when I deploy an Elastic Beanstalk application?

2 minute read

I want to create a scalable, load-balanced environment for my AWS Elastic Beanstalk application. I also want to specify my own security group for my load balancer.

Short description

Elastic Beanstalk creates a default security group for your load balancer. To attach an existing security group (ManagedSecurityGroup) to your load balancer, override the default behavior. Add more configuration files to an .ebextensions/ directory so that Elastic Beanstalk doesn't create a default security group. The directory is in your application deployment package.

Important: The following steps apply only to Application Load Balancers and Classic Load Balancers. Network Load Balancers don't have an associated security group.

Resolution

Use .ebextensions to instruct the Elastic Beanstalk service to attach an existing security group to your load balancer. Then, remove the default security group that Elastic Beanstalk creates for you.

1. Confirm that there's an existing security group for Elastic Beanstalk to use. Or, create a new security group for the load balancer in your Elastic Beanstalk environment.

2. Note the ID of your security group. For example: sg-123456.

3. Create a .ebextensions/ directory in your local application code directory.

4. In the .ebextensions/ directory, create a file that's named elbsg.config. For example:

~/workspace/my-app/├── .ebextensions  
│   ├── elbsg.config  
├── helloworld

Note: For more information on the preceding two steps, see Advanced environment customization with configuration files (.ebextensions).

5. Update the elbsg.config file based on the load balancer type of your Elastic Beanstalk environment.

To create a new environment or update an existing environment with a Classic Load Balancer, use the SecurityGroups setting to override the default security group. For example:

option\_settings: aws:elb:loadbalancer:  
  ManagedSecurityGroup: "sg-123456"  
  SecurityGroups: "sg-123456"

To create a new environment or update an existing environment with an Application Load Balancer, use the SecurityGroups setting to override the default security group. For example:

option\_settings: aws:elbv2:loadbalancer:  
  ManagedSecurityGroup: "sg-123456"  
  SecurityGroups: "sg-123456"

Note: In the preceding examples, replace sg-123456 with your security group and managed security group IDs. The preceding .ebextensions are in YAML format. Validate the YAML formatting.

6. Deploy your code and the new .ebextensions/ directory together as a new application version in your Elastic Beanstalk environment.

Related information

Configuring Elastic Beanstalk environments

aws:elb:loadbalancer

aws:elbv2:loadbalancer

Topics

Compute

Relevant content

Load balancer being created by elastic beanstalk isn't a network load balancer
Spencer
asked 14 hours ago
Elastic beanstalk is creating security groups in default vpc instead of the vpc specified
Velu
asked 7 months ago
What rules should I add to my custom security group to avoid using the default VPC security group and still pass the health check?
kerokero
asked 10 days ago
Security Group problem while creating a load balancer
rePost-User-6428404
asked a year ago
Elastic Beanstalk fails when creating Load Balancer config
Chris
asked 5 months ago
How do I securely deploy my application and route traffic to my Elastic Beanstalk environment URL?
AWS OFFICIALUpdated 10 months ago
How can I add my security group to my Elastic Beanstalk environment?
AWS OFFICIALUpdated 10 days ago
How do I restrict access to SSH port 22 in my Elastic Beanstalk instance security group to a specific CIDR or security group?
AWS OFFICIALUpdated 4 days ago
How do I attach a security group to my Elastic Load Balancing load balancer?
AWS OFFICIALUpdated 7 months ago
Launch announcement: Network Load Balancer now supports security groups
EXPERT
zobAWS
published 8 months ago