Assigning pre-existing AWS security groups to AWS instances

By default, Amazon Web Services (AWS) allows a maximum of five security groups for a service offering instance. Security groups are firewall policies that are applied to provisioned virtual machines. Security groups consist of rules that control inbound and outbound network traffic.

To assign existing security groups to an AWS service offering instance (SOI) through a BMC Cloud Lifecycle Management blueprint, you must configure parameters on the blueprint as described in the following procedure.

Before you begin

Create the security groups on AWS. For more information, see the Amazon Web Services online documentation:

Make sure that a firewall, distributed firewall,or network path is part of the virtual private cloud or the network container blueprint.

Remember the the following tips before you begin:

Use security groups from virtual private clouds (VPCs) that have already been onboarded in BMC Cloud Lifecycle Management. You will receive an error if you try to use security groups from other VPCs.
When a user decommissions a service offering instance that uses security groups, default BMC Cloud Lifecycle Management security groups are deleted from AWS and BMC Cloud Lifecycle Management. Custom security groups that were created on AWS are deleted from BMC Cloud Lifecycle Management, but not deleted from AWS. To summarize, BMC Cloud Lifecycle Management does not manage pre-existing AWS security groups.
Rules are not automatically configured by default for security group created in BMC Cloud Lifecycle Management.
Avoid using custom security groups that BMC Cloud Lifecycle Management previously created on AWS.

Limitations

When using AWS security groups, note the following limitations:

You can apply security groups only through an AWS instance that is configured in BMC Cloud Lifecycle Management. You cannot apply security groups that are attached to an AWS instance that was not originally onboarded through BMC Cloud Lifecycle Management, even if the compute container is refreshed.
As part of post-deploy actions (also called Transaction Requestable Offering, TRO, or Day 2 actions), assignments of security groups are not supported.
BMC Cloud Lifecycle Management does not support the association of security groups with names that include a comma (,).
Custom security group assignment is not supported in the EC2 classic scenario.

To configure custom global security group parameters in a blueprint

Open the AWS blueprint in the Service Designer of the BMC Cloud Lifecycle Management – Administration Console.
For more information, see Creating-copying-or-editing-a-service-blueprint.
View the Parameters table:
- For the global service blueprint, choose Service Properties> Parameters.
- For the deployment definition, choose Definition > Properties, and click the Parameters tab.
- For a specific resource set in a blueprint, select the resource set and click Parameters in the edit pane on the right.
- As an option in a service request, create an optional parameter as described in "To configure optional parameters" in Configuring-end-user-Option-Choices-in-service-blueprints, and skip to step 4.
  Note
  Following is the order of precedence for these parameters (with the first parameter listed below taking the highest precedence):
  1. Options
  2. Resource set
  3. Deployment definitions
  4. Global service blueprint
  Do not specify a security group parameter for a resource set and an option choice. Allowing parameters on both levels of a blueprint is not supported.
Click the plus sign to open the Add Parameter dialog box.
In the Name field, enter securitygroups.
For a specific resource set, add the resource set name and a colon before securitygroups. For example, if the resource set name is ServerGroup1, enter:

ServerGroup1:securitygroups
In the Label field, enter a label.
In the Default Value field, enter a comma-separated list of the security groups you want to associate from AWS.
Enter the names as they appear in AWS.
By default, AWS allows as many as five security groups per service offering instance. “(Your AWS configuration may have different limits based on your requirements.) By default, one security group is automatically created on BMC Cloud Lifecycle Management, so you can add four additional security groups to the Default Value field for a total of five security groups.
Warning
If you add more than four groups to the Default Value field, the provisioning will fail due to the limit of five security groups.
(Optional) If you want to include a data source (as described in the “Data sources” section of Configuration-workspace-overview), select the Dropdown check box and, from the Data Source drop-down list, select the data source name that you created on the Data Sources tab on the Configuration workspace.
Click OK.
For more information about adding parameters to a service blueprint, see Configuring-service-blueprint-parameters.
Note
If you want to configure multiple security groups as option choices, make sure that each parameter name contains the securitygroups string (for example, securitygroups1, securitygroups2, abcsecuritygroups, xyzsecuritygroups, and so on).

After an AWS service offering instance is provisioned, you can see the security groups when you click the instances on the Services > EC2 page in Amazon Web Services. The custom groups you added are listed after the default security group. The first security group is the default group that BMC Cloud Lifecycle Management adds automatically. This group is named with the following format:

serviceName_resourceSetName

For example, if the service name is AWS1, and the resource set name is Server Group 1, the default security group would be called AWS1_Server Group 1.

Assigning pre-existing AWS security groups to AWS instances

Before you begin

Limitations

To configure custom global security group parameters in a blueprint

Related topic

On this page