I am creating Cloud formation template for security group with ingress rule of over 50 CIDR IPs.
In Parameters, I used Commadelimited list for Multiple CIDR IPs.
Instead of creating seperate values in SecurityGroupIngress for each CIDR IP, Is it possible to include multiple CidrIps in single code.
{
"IpProtocol" : "tcp",
"CidrIp" : "54.183.255.128/26",
"FromPort" : "443",
"ToPort" : "443"
},
{
"IpProtocol" : "tcp",
"CidrIp" : "54.228.16.0/26",
"FromPort" : "443",
"ToPort" : "443"
},
{
"IpProtocol" : "tcp",
"CidrIp" : "54.232.40.64/26",
"FromPort" : "443",
"ToPort" : "443"
},
{
"IpProtocol" : "tcp",
"CidrIp" : "54.241.32.64/26",
"FromPort" : "443",
"ToPort" : "443"
},
Template I want to use like below. But here I can able to get only 1 position CIDR IPs.
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "HTTPS - Security Group",
"Parameters": {
"VPC": {
"Type": "AWS::EC2::VPC::Id",
"Description": "VPC where the Security Group will belong"
},
"Name": {
"Type": "String",
"Description": "Name Tag of the Security Group"
},
"DbSubnetIpBlocks": {
"Description": "Comma-delimited list of CIDR blocks",
"Type": "CommaDelimitedList"
}
},
"Resources": {
"MySG": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": {
"Ref": "Description"
},
"VpcId": {
"Ref": "VPC"
},
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"CidrIp": {
"Fn::Select": [
"1",
{
"Ref": "DbSubnetIpBlocks"
}
]
},
"FromPort": "443",
"ToPort": "443"
}
]
}
}
},
"Outputs": {
"SecurityGroupID": {
"Description": "Security Group ID",
"Value": {
"Ref": "MySG"
}
}
>Solution :
Sadly its not possible. One security group (SG) rule applies to only one CIDR range.
There is a limit of 60 rules in a SG, which you can request to be increased.
Although a single SG rule can refer to single CIDR, you can create CloudFormation macro or custom resource to automatically create all these rules for you.