After you create an endpoint in a virtual private cloud (VPC), you can add the endpoint to a security group. This way, you can manage the data transfer between the VPC and the endpoint elastic network interface (ENI). Only client traffic that meets the security group rules can be sent to the associated service provided by the service provider over the endpoint. If you no longer need a security group, you can remove the endpoint from the security group.
Prerequisites
An endpoint is created. For more information, see Create and manage endpoints.
At least two security groups are created in the VPC of the endpoint, and the following security group rules are created:
A default inbound rule that allows Internet Control Message Protocol (ICMP) traffic to support operations such as pinging Elastic Compute Service (ECS) instances.
A default inbound rule that allows traffic on SSH port 22 and Remote Desktop Protocol (RDP) port 3389 to access ECS instances.
(Optional) An inbound rule that allows traffic on HTTP port 80 and HTTPS port 443. This rule allows the VPC of the endpoint to access the VPC of the associated endpoint service over HTTP or HTTPS.
For more information, see Create a security group.
Add an endpoint to a security group
By default, you can add an endpoint to up to five security groups.
- Log on to the endpoint console.
In the top navigation bar, select the region where the endpoint is deployed.
Click Endpoints in the left-side navigation pane. On the Endpoints page, find the endpoint that you want to manage and click its instance ID.
On the details page of the endpoint, click the Security Group tab, and click Join Security Group.
In the Join Security Group dialog box, select a security group and click OK.
Remove an endpoint from a security group
After you remove an endpoint from a security group, make sure that the endpoint is added to at least one security group.
- Log on to the endpoint console.
In the top navigation bar, select the region where the endpoint is deployed.
Click Endpoints in the left-side navigation pane. On the Endpoints page, find the endpoint that you want to manage and click its instance ID.
On the details page of the endpoint, click the Security Group tab, find the security group that you want to manage, and then click Delete in the Actions column.
In the Remove Security Group message, click OK.
References
AttachSecurityGroupToVpcEndpoint: adds an endpoint to a security group.
DetachSecurityGroupFromVpcEndpoint: removes an endpoint from a security group.