Why does Elastic Beanstalk create two security groups?

2
votes

I am trying to deploy Spring Boot Application with AWS Elastic Beanstalk. Instead of using default settings for the environment, I modified something under "VPC". After picking availability zone and one of the security groups for the VPC, I created the environment. enter image description here

However when I looked at the instance detail after it is created, I noticed it is tied to two security groups. Other than the one I chose sg-98c031f3, it has another newly-generated security group sg-72b94919.

Why does it create two security groups for the environment when I selected only one group? Is there a way to remove one of them since one security group is enough to handle all the rules.

1
amazon-web-servicesamazon-elastic-beanstalkamazon-vpcaws-security-group
You can combine both security group rules into one group and delete second group.Haresh Chhelana
@HareshChhelana I will have to take down the instance before deleting the security group right?ddd

1 Answers

4
votes

Elastic Beanstalk will always create and utilize one security group that gets attached to the EC2 instance. This group is managed by Elastic Beanstalk and it's primary purpose is to allow inbound connections from your load balancer.

(It also has a secondary purpose of allowing inbound SSH connections if you have selected a keypair for your EC2 instances)

Elastic Beanstalk allows you to select 0 or more additional security groups to attach to your EC2 instances. Note that you do not need to select any security groups if you don't want to. This is so that you can add additional inbound/outbound rules for your EC2 instances without needing to modify the EB-managed one.

Some reasons why you might want to add additional security groups:

  • To allow more inbound ports (for example, RDP)
  • To allow outbound network connections (for example, NTP)
  • To act as sources and targets for other security group rules (for example, allow connections from your selected security group into your RDS instances)