Configuring Amazon EC2 security groups and instance types using the AWS CLI
You can use the AWS Command Line Interface (AWS CLI) to configure the Amazon EC2 instances in your Elastic Beanstalk environments.
Configuring EC2 security groups using the AWS CLI
This topic provides examples for different EC2 security group configurations for both single-instance and load balanced (multi-instance) environments. For more information about the options in these examples, see aws:autoscaling:launchconfiguration.
Notes
The create environment operation provides an EC2 security group by default. It also creates an environment with an application load balancer by default.
The update environment operation can be used to either disable or enable the default EC2
security group for your environment with the boolean option
DisableDefaultEC2SecurityGroup
. Example
5 shows how to set your environment back to the default security configuration
if you had previously modified it.
The following examples show a create-environment
command opting out of the default EC2 security group and providing custom security groups
instead. Since the DisableDefaultEC2SecurityGroup
option is set to
true
, the default EC2 security group that Elastic Beanstalk normally associates to the EC2
instances is not created. Therefore, you must provide other security groups with the
SecurityGroups
option.
Note that the aws:elasticbeanstalk:environment
EnvironmentType
option is set to SingleInstance
. To create a single
instance environment, you must specify this option, because LoadBalanced
is the
default EnvironmentType
. Since this environment does not include a load balancer,
we don't need to specify a load balancer security group.
Example 1 — New single-instance environment with custom EC2 security groups (namespace options inline)
aws elasticbeanstalk create-environment \ --region
us-east-1
\ --application-namemy-app
\ --environment-namemy-env
\ --solution-stack-name"64bit Amazon Linux 2023 v6.5.0 applrunning Node.js 22"
\ --option-settings \ Namespace=aws:elasticbeanstalk:environment,OptionName=EnvironmentType,Value=SingleInstance
\ Namespace=aws:autoscaling:launchconfiguration,OptionName=IamInstanceProfile,Value=aws-elasticbeanstalk-ec2-role
\ Namespace=aws:autoscaling:launchconfiguration,OptionName=DisableDefaultEC2SecurityGroup,Value=true
\ Namespace=aws:autoscaling:launchconfiguration,OptionName=SecurityGroups,Value=sg-abcdef01, sg-abcdef02
\ Namespace=aws:autoscaling:launchconfiguration,OptionName=EC2KeyName,Value=my-keypair
As an alternative, use an options.json
file to specify the namespace
options instead of including them inline.
Example 2 — New single-instance environment with custom EC2 security groups (namespace
options in options.json
file)
aws elasticbeanstalk create-environment \ --region
us-east-1
\ --application-namemy-app
\ --environment-namemy-env
\ --solution-stack-name"64bit Amazon Linux 2023 v6.5.0 running Node.js 22"
\ --option-settingsfile://options.json
### example options.json ### [ { "Namespace" : "aws:elasticbeanstalk:environment", "OptionName" : "EnvironmentType", "Value" : "SingleInstance" }, { "Namespace": "aws:autoscaling:launchconfiguration", "OptionName": "IamInstanceProfile", "Value": "aws-elasticbeanstalk-ec2-role" }, { "Namespace": "aws:autoscaling:launchconfiguration", "OptionName": "DisableDefaultEC2SecurityGroup", "Value": "true" }, { "Namespace": "aws:autoscaling:launchconfiguration", "OptionName": "SecurityGroups", "Value": "sg-abcdef01, sg-abcdef02" }, { "Namespace": "aws:autoscaling:launchconfiguration", "OptionName": "EC2KeyName", "Value": "my-keypair" } ]
The following example creates a load-balanced environment. It specifies the aws:elasticbeanstalk:environment namespace option
LoadBalancerType
set to application
. Since we're disabling the
default EC2 security group with the DisableDefaultEC2SecurityGroup
option, we need
to provide our own custom security groups for the EC2 instances again, with the aws:autoscaling:launchconfiguration
SecurityGroups
option, like the previous example. Since this environment has a load
balancer to route traffic, we must provide security groups for the load balancer as well.
To create an environment with a with a classic load balancer, but otherwise the same
configuration, update the configuration for the aws:elasticbeanstalk:environment namespace option
LoadBalancerType
to classic
.
The different load balancer types have different namespaces that hold the options to specify the security groups:
-
application load balancer – aws:elbv2:loadbalancer
SecurityGroups
option -
classic load balancer – aws:elb:loadbalancer
SecurityGroups
option -
network load balancer – since network load balancers do not have security groups, configure the EC2 security groups with VPC identifiers. For more information, see Update the security groups for your Network Load Balancer in the User Guide for Network Load Balancers.
Example 3 — New multi-instance environment with custom EC2 security groups (namespace
options in options.json
file)
aws elasticbeanstalk create-environment \ --region
us-east-1
\ --application-namemy-app
\ --environment-namemy-env
\ --solution-stack-name"64bit Amazon Linux 2023 v6.5.0 running Node.js 22"
\ --option-settingsfile://options.json
### example options.json ### [ { "Namespace" : "aws:elasticbeanstalk:environment", "OptionName" : "EnvironmentType", "Value" : "LoadBalanced" }, { "Namespace" : "aws:elasticbeanstalk:environment", "OptionName" : "LoadBalancerType", "Value" : "application" }, { "Namespace" : "aws:elbv2:loadbalancer", "OptionName" : "SecurityGroups", "Value" : "sg-abcdefghikl012345" }, { "Namespace": "aws:autoscaling:launchconfiguration", "OptionName": "IamInstanceProfile", "Value": "aws-elasticbeanstalk-ec2-role" }, { "Namespace": "aws:autoscaling:launchconfiguration", "OptionName": "DisableDefaultEC2SecurityGroup", "Value": "true" }, { "Namespace": "aws:autoscaling:launchconfiguration", "OptionName": "SecurityGroups", "Value": "sg-abcdef01, sg-abcdef02" }, { "Namespace": "aws:autoscaling:launchconfiguration", "OptionName": "EC2KeyName", "Value": "my-keypair" } ]
You can disable the default EC2 security group for an existing environment with the update-environment command. The following example command disables the default EC2 security group and assigns the environment's EC2 instances custom EC2 security groups.
Use the example options.jason
files in examples 4(a), 4(b), or 4(c),
depending on whether the environment is load balanced and the type of load balancer.
Configuration file 4(a) specifies the security groups for a single-instance environment. Since
it doesn't require a load balancer, we only provide the security group for the EC2 instances.
Configuration files 4(b) and 4(c) specify the security groups for an application load balancer
and a classic load balancer. For these cases we also need to specify security groups for the
load balancer.
Example 4 — Update an existing environment to disable default EC2 security group (namespace options in
options.json
file)
aws elasticbeanstalk update-environment \ --region
us-east-1
\ --application-namemy-app
\ --environment-namemy-env
\ --solution-stack-name"64bit Amazon Linux 2023 v6.5.0 running Node.js 22"
\ --option-settingsfile://options.json
Example 4(a) — Configuration file for single-instance environment (no load balancer)
### example options.json ### [ { "Namespace": "aws:autoscaling:launchconfiguration", "OptionName": "DisableDefaultEC2SecurityGroup", "Value": "true" }, { "Namespace": "aws:autoscaling:launchconfiguration", "OptionName": "SecurityGroups", "Value": "sg-abcdef01, sg-abcdef02" } ]
To update an environment that uses an application load balancer, use the
aws:elbv2:loadbalancer
namespace to specify the security groups for the
load balancer.
Example 4(b) — Configuration file for environment with an application load balancer
### example options.json ### [ { "Namespace" : "aws:elbv2:loadbalancer", "OptionName" : "SecurityGroups", "Value" : "sg-abcdefghikl012345" }, { "Namespace": "aws:autoscaling:launchconfiguration", "OptionName": "DisableDefaultEC2SecurityGroup", "Value": "true" }, { "Namespace": "aws:autoscaling:launchconfiguration", "OptionName": "SecurityGroups", "Value": "sg-abcdef01, sg-abcdef02" } ]
To update an environment that uses a classic load balancer use the
aws:elb:loadbalancer
namespace to specify the security groups for the
load balancer.
Example 4(c) — Configuration file for environment with a classic load balancer
### example options.json ### [ { "Namespace" : "aws:elb:loadbalancer", "OptionName" : "SecurityGroups", "Value" : "sg-abcdefghikl012345" }, { "Namespace": "aws:autoscaling:launchconfiguration", "OptionName": "DisableDefaultEC2SecurityGroup", "Value": "true" }, { "Namespace": "aws:autoscaling:launchconfiguration",n "OptionName": "SecurityGroups", "Value": "sg-abcdef01, sg-abcdef02" } ]
To return your environment to the default behavior and configuration with the default security
group that Elastic Beanstalk assigns, use the update-environment command to set the DisableDefaultEC2SecurityGroup
to false
. For a multi-instance environment, Elastic Beanstalk also handles the
security groups and network traffic rules for your environment's load balancer.
The following example applies to both a single-instance or multi-instance (load balanced) environment:
Example 5 — Update an environment back to using the default security group (namespace
options in options.json
file)
aws elasticbeanstalk update-environment \ --region
us-east-1
\ --application-namemy-app
\ --environment-namemy-env
\ --solution-stack-name"64bit Amazon Linux 2023 v6.5.0 running Node.js 22"
\ --option-settingsfile://options.json
### example options.json ### [ { "Namespace": "aws:autoscaling:launchconfiguration", "OptionName": "DisableDefaultEC2SecurityGroup", "Value": "false" } ]
Configuring EC2 with instance types using the AWS CLI
This topic provides examples for configuring the instance types of the EC2 instances in your environment.
The first two examples creates a new environment. The command specifies an Amazon EC2 instances
type, t4g.small, that's based on arm64 processor architecture. Elastic Beanstalk defaults the Image ID
(AMI) for the EC2 instances based on the Region, platform version and instance type. The
instance type corresponds to a processor architecture. The solution-stack-name
parameter applies to platform version.
Example 1 — create a new arm64 based environment (namespace options inline)
aws elasticbeanstalk create-environment \ --region
us-east-1
\ --application-namemy-app
\ --environment-namemy-env
\ --solution-stack-name"64bit Amazon Linux 2 v3.4.7 running Docker"
\ --option-settings \ Namespace=aws:autoscaling:launchconfiguration,OptionName=IamInstanceProfile,Value=aws-elasticbeanstalk-ec2-role
\ Namespace=aws:ec2:instances,OptionName=InstanceTypes,Value=t4g.small
As an alternative, use an options.json
file to specify the namespace
options instead of including them inline.
Example 2 — create a new arm64 based environment (namespace options in
options.json
file)
aws elasticbeanstalk create-environment \ --region
us-east-1
\ --application-namemy-app
\ --environment-namemy-env
\ --solution-stack-name"64bit Amazon Linux 2 v3.4.7 running Docker"
\ --option-settingsfile://options.json
### example options.json ### [ { "Namespace": "aws:autoscaling:launchconfiguration", "OptionName": "IamInstanceProfile", "Value": "aws-elasticbeanstalk-ec2-role" }, { "Namespace": "aws:ec2:instances", "OptionName": "InstanceTypes", "Value": "t4g.small" } ]
The next two examples update the configuration for an existing environment with the update-environment command. In this example we're adding another instance type that's also based on arm64 processor architecture. For existing environments, all instance types that are added must have the same processor architecture. If you want to replace the existing instance types with those from a different architecture, you can do so. But make sure that all of the instance types in the command have the same type of architecture.
Example 3 — update an existing arm64 based environment (namespace options inline)
aws elasticbeanstalk update-environment \ --region
us-east-1
\ --application-namemy-app
\ --environment-namemy-env
\ --solution-stack-name"64bit Amazon Linux 2 v3.4.7 running Docker"
\ --option-settings \ Namespace=aws:autoscaling:launchconfiguration,OptionName=IamInstanceProfile,Value=aws-elasticbeanstalk-ec2-role
\ Namespace=aws:ec2:instances,OptionName=InstanceTypes,Value=t4g.small,t4g.micro
As an alternative, use an options.json
file to specify the namespace
options instead of including them inline.
Example 4 — update an existing arm64 based environment (namespace options in
options.json
file)
aws elasticbeanstalk update-environment \ --region
us-east-1
\ --application-namemy-app
\ --environment-namemy-env
\ --solution-stack-name"64bit Amazon Linux 2 v3.4.7 running Docker"
\ --option-settingsfile://options.json
### example options.json ### [ { "Namespace": "aws:autoscaling:launchconfiguration", "OptionName": "IamInstanceProfile", "Value": "aws-elasticbeanstalk-ec2-role" }, { "Namespace": "aws:ec2:instances", "OptionName": "InstanceTypes", "Value": "t4g.small, t4g.micro" } ]
The next two examples show more create-environment
commands. These examples don't provide values for InstanceTypes
. When
InstanceTypes
values aren't specified, Elastic Beanstalk defaults to x86 based processor
architecture. The Image ID (AMI) for the environment's EC2 instances will default according to
the Region, platform version and defaulted instance type. The instance type corresponds to a
processor architecture.
Example 5 — create a new x86 based environment (namespace options inline)
aws elasticbeanstalk create-environment \ --region
us-east-1
\ --application-namemy-app
\ --environment-namemy-env
\ --solution-stack-name"64bit Amazon Linux 2 v3.4.7 running Docker"
\ --option-settings \ Namespace=aws:autoscaling:launchconfiguration,OptionName=IamInstanceProfile,Value=aws-elasticbeanstalk-ec2-role
As an alternative, use an options.json
file to specify the namespace
options instead of including them inline.
Example 6 — create a new x86 based environment (namespace options in
options.json
file)
aws elasticbeanstalk create-environment \ --region
us-east-1
\ --application-namemy-app
\ --environment-namemy-env
\ --solution-stack-name"64bit Amazon Linux 2 v3.4.7 running Docker"
\ --option-settingsfile://options.json
### example options.json ### [ { "Namespace": "aws:autoscaling:launchconfiguration", "OptionName": "IamInstanceProfile", "Value": "aws-elasticbeanstalk-ec2-role" } ]