Tag Archives: VPC

Create VPC Security Groups, Rules, and Tags with PowerShell

Here is some example code which may help you automate security group creation with PowerShell. I wanted to take a look at automating some security group creation tasks today and there wasn’t too much help available via search engines. Maybe this post will help that out a bit.

The minimum amount of IAM permissions needed to accomplish this task will be:


This snippet of powershell will:

  • Lookup the only VPC in your account, provided your regional defaults are set via Initialize-AWSDefaults or the ec2 instance you are running this on. This is helpful as some of the powershell cmdlets only play nice with the default vpc, which many people tend to delete.
  • Create a new security group for a load balancer
  • Allow HTTP and HTTPS traffic ingress into the load balancer security group
  • Create a new security group for a web server
  • Allow HTTP from the load balancer to the web server security group
  • Allow SSH from a security group that is looked up by the name “My Bastion Host Security Group” to the web server
  • Name Tag the created security groups

Internally route to RDS instances

I was configuring a MySQL RDS instance inside a VPC a few months back with a bit of a unique setup. This RDS needed to be publicly accessible from some systems outside the corporate network and also accessible via systems in the same VPC.

I configured the RDS instance in a new public subnet and gave it an elastic IP by choosing the option for Publicly Accessible during RDS creation. I changed the security groups to allow it to accept MySQL traffic from the public IP of the system outside the corporate network. I also changed the security group to allow MySQL traffic from members of another security group containing the servers I wanted to interface with the RDS instance.

To my surprise I had no connectivity between the internal VPC systems and the RDS instance. Telnet tests to port 3306 confirmed the traffic was being blocked. After some name resolution troubleshooting, I discovered if I allowed MySQL traffic through the NAT security group and allowed MySQL traffic from the public IP of my AWS Nat instance into the RDS instance I had connectivity.

The systems in the VPC were resolving the public IPs of the RDS instance and not the internal IPs provided via the VPC. After some digging into the documentation I discovered this was a result of us bringing our own DNS into the VPC with Active Directory.

The solution was to create a conditional forwarder zone on the domain controllers located in the VPC to forward name resolution requests for amazonaws.com to the DNS server provided by the VPC. The DNS server provided with the VPC is located on the bottom most subnet of the VPC. So if your VPC CIDR block was and your subnets were your Amazon provided DNS server would be at

This DNS server is used by your default DHCP option set and it cannot be accessed via systems outside your VPC. So if you have the same Active Directory domain on premises and in AWS, you will not want this conditional forwarder zone on your on premises domain controllers.

With the conditional forwarder in place, requests from VPC domain joined systems now resolved internal IPs of the RDS instance and traffic no longer needed to route out to the internet via the NAT instance.