AWS CloudFormation - VPC Nested Stack-Security Groups
In this section, I have provided the YAML Script for Security Groups. The script will create the security groups for the following;
a. Web Servers
b. Load Balancer
We shall create the security groups in 2 simple steps.
1. Please add the following code to the Master.yaml that I have provided in my previous post, save it and upload in the S3 folder that we have created in the previous post.
SecurityGroups:
Type: AWS::CloudFormation::Stack
Properties:
TemplateURL: https://mycfstack.s3.amazonaws.com/securitygroups.yaml
Parameters:
EnvironmentName: !Ref AWS::StackName
VPC: !GetAtt VPC.Outputs.VPC
2. The following is the script for creation of security groups. Upload the script in the S3 folder that we have created in the previous post.
Few points to be noted here
The security groups for web servers is set to receive traffic only from Load Balancer
Inbound rule for Port 22 SSH has also been enabled so that one can interact with web servers through CLI
internet traffic has been opened at Load Balancer side only from HTTP (Port:80). If you want to open HTTPS traffic (Port: 443), you can add the same in the below script. However, you would need to buy and download the security certificate.
Description: >
This template contains the security groups required by our entire stack.
We create them in a seperate nested template, so they can be referenced
by all of the other nested templates.
Parameters:
EnvironmentName:
Description: Our environment name will be prefixed to resource names
Type: String
VPC:
Type: AWS::EC2::VPC::Id
Description: VPC which the security groups should be deployed to
SSHLocation:
Description: The IP address range that can be used to SSH to the EC2 instances
Type: String
MinLength: '9'
MaxLength: '18'
Default: 0.0.0.0/0
AllowedPattern: '(\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})'
ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
Resources:
# This security group defines who/where is allowed to access the EC2 Servers directly.
# By default we're just allowing access from the load balancer. If you want to SSH
# into the hosts, or expose non-load balanced services you can open their ports here.
#============================================================
# Security Group for Webservers
#============================================================
WSSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
VpcId: !Ref VPC
GroupDescription: Access to the EC2 Servres that run
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: '22'
ToPort: '22'
CidrIp: !Ref SSHLocation
# Only allow inbound access to Web Servers from the ELB
- IpProtocol: tcp
FromPort: 80
ToPort: 80
SourceSecurityGroupId: !Ref LoadBalancerSecurityGroup
Tags:
- Key: Name
Value: !Sub ${EnvironmentName}-WebServers
#============================================================
# Security Group for Load Balancer
#============================================================
LoadBalancerSecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
VpcId: !Ref VPC
GroupDescription: Access to the load balancer that sits in front of Web Servers
SecurityGroupIngress:
# Allow internet traffic to our Web servers in the following port
- CidrIp: 0.0.0.0/0
IpProtocol: tcp
FromPort: 80
ToPort: 80
Tags:
- Key: Name
Value: !Sub ${EnvironmentName}-LoadBalancers
Outputs:
WSSecurityGroup:
Description: A reference to the security group for Web Servers
Value: !Ref WSSecurityGroup
LoadBalancerSecurityGroup:
Description: A reference to the security group for load balancers
Value: !Ref LoadBalancerSecurityGroup
How to upload and run the script?
- Copy the master file as master.yaml and child script as vpc.yml and securitygroups.yaml
- Create a bucket in S3 and name it as you wish (the script has the name as mycfstack)
- Upload all the scripts in the created bucket
- Go to Cloud Formation
- Create New Stack

- Click Next and provide a stack name. Click next and then click create stack button.

- Your stack will be executed in less than 5 mins.

Please navigate to Network section of your AWS console to confirm if Security Groups have been created properly.

I hope the above script will be useful to AWS beginners who are working or practicing cloud formation. In my next post, I will share the script for creation of Load Balancers and Web Servers with Auto-Scaling group, along with execution steps.
Please provide your valuable comments on this article if this is of any help. Kindly share this with your known groups if you like it. Thanks.