Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Associate security groups with multiple VPCs

If you have workloads running in multiple VPCs that share network security requirements, you can use the Security Group VPC Associations feature to associate a security group with multiple VPCs in the same Region. This enables you to manage and maintain security groups in one place for multiple VPCs in your account.

The diagram above shows Amazon account A with two VPCs in it. Each of the VPCs has workloads running in a private subnet. In this case, workloads in VPC A and B subnets share the same network traffic requirements, so Account A can use the Security Group VPC associations feature to associate the security group in VPC A with VPC B. Any updates made to the associated security group are automatically applied to the traffic to workloads in the VPC B subnet.

Services that support this feature

Associate a security group with another VPC

This section explains how to use the Amazon Web Services Management Console and the Amazon CLI to associate a security group with VPCs.

Amazon Management Console

To associate a security group with another VPC

1. Open the Amazon VPC console at https://console.amazonaws.cn/vpc/.

2. On the left navigation pane, choose Security groups.

3. Choose a security group to view the details.

4. Choose the VPC associations tab.

5. Choose Associate VPC.

6. Under VPC ID, choose a VPC to associate with the security group.

7. Choose Associate VPC.

Command line

To associate a security group with another VPC

1. Create a VPC association with associate-security-group-vpc.

2. Check the status of a VPC association with describe-security-group-vpc-associations and wait for the status to be associated.

The VPC is now associated with the security group.

Once you’ve associated the VPC with the security group, you can, for example, launch an instance into the VPC and choose this new security group or reference this security group in an existing security group rule.

Disassociate a security group from another VPC

This section explains how to use the Amazon Web Services Management Console and the Amazon CLI to disassociate a security group from VPCs. You may want to do this if your goal is to delete the security group. Security groups cannot be deleted if they are associated. You can only diassociate a security group if there are no network interfaces in the associated VPC using that security group.

Amazon Management Console

To disassociate a security group from a VPC

1. Open the Amazon VPC console at https://console.amazonaws.cn/vpc/.

2. On the left navigation pane, choose Security groups.

3. Choose a security group to view the details.

4. Choose the VPC associations tab.

5. Choose Disassociate VPC.

6. Under VPC ID, choose a VPC to disassociate from the security group.

7. Choose Disassociate VPC.

8. View the Status of the disassociation in the VPC associations tab and wait for the status to be disassociated.

Command line

To disassociate a security group from a VPC

1. Disassociate a VPC association with disassociate-security-group-vpc.

2. Check the status of a VPC disassociation with describe-security-group-vpc-associations and wait for the status to be disassociated.

The VPC is now disassociated with the security group.