Security Groups are like firewall rules that you configure to restrict access to assets deployed in Amazon Web Services infrastructure. Security groups can exist only within a scope of an Amazon EC2 region (Example security groups configured in AWS US-EAST region is not available on AWS APAC region). For Multi region region setups/migrations in AWS , one common best practice is to export security groups from primary region and configure the same in target AWS region as well.
Point 1) You can use the following command to export a copy of the definitions of existing security groups; this will ease the migration effort:
ec2-describe-group –H -–region <Source Region Name> > security_groups.txt
Point 2) Alternatively you can use the following script to import the security groups in the Target AWS region. This script does not work when you have VPC security group. This script uses the command “ec2-describe-group” to query the existing security groups in a region and creates a shell script, which can be used to re-create in a different region.
- Download the script from the following location: http://ry4an.org/unblog/static/attachments/ec2-security-group-tools.tar.gz
- Set the environment variables which are necessary to run the “ec2-describe-group” command. i.e., AWS_SECRET_KEY and AWS_ACCESS_KEY
- In the file “create-firewall-script.pl” set the AWS region and AWS Account Number. The AWS region name should be set as the region from which you needed to import the security groups. E.g., if you need to import from us-east-1 to us-west-2. The create-firewall-script.pl should be updated with the region as us-west-2
- Use the following command to run the script, this will generate a shell script. The shell script contains the security groups details and the commands which are needed to create security group. Type the following ec2-describe-group | ./create-firewall-script.pl > create-firewall.sh
- Just use the command “sh create-firewall.sh ” to run the shell script. This will create the security groups in the target region.
- By using the below command, you can generate security groups details as an image. Type the following command : ec2-describe-group | ./visualize-security-groups.pl > groups.png
Point 3) Use centralized governance tools like Dome9, cloudaware etc to manage the security groups , changes and management efficiently
It is recommended implement one or more above points proactively for Multi region setups in AWS for improving the Recovery Time Objectives (RTO) during DR.