Security Groups


UFO creates and manages two security groups. One for the ELB and one for the ECS tasks. Here are some considerations for these security groups:

  • Network load balancers do not support security groups. So an ELB security group is only created if the load balancer is an Application load balancer.
  • The ECS security group tasks only created if network_mode is awsvpc. Security groups can only be associated with ECS tasks when network mode is awsvpc. So there’s no point in creating an ECS security for bridge mode.
  • In bridge network mode the EC2 container instance’s Ethernet card and its security group is used. The EC2 containers group security group is outside the control of ufo. You’ll need to configure the security group appropriately yourself. Usually, a security group inbound rule that allows port 49153-65535 to the VPC CDIR range is good. Also see: Debugging Unhealthy Targets.
  • UFO will only assign the ECS security group when awsvpc node mode is used, and ufo has control of the security group.

Using Existing Security Groups

You can tell UFO to use existing security groups. Here’s an example that shows how to set security groups to override on an env-role scoped basis.


Ufo.configure do |config|
  config.vpc.security_groups.ecs = ["sg-111"]
  config.vpc.security_groups.elb = ["sg-111"]

Security Groups managed by UFO are, in a sense, transient. If you delete the CloudFormation stack created by UFO, and recreate the stack entirely. Any manual changes to the security groups are lost. You can precreate security groups and configure UFO to use them. So then you won’t lose any manual changes. More docs: Security Groups


The table below covers each setting. Each option is configured in .ufo/config.rb with config.OPTION. The config. portion is not shown for conciseness. IE: logger.level vs config.logger.level.

Name Default Description nil Used to create ecs and elb security groups in the CloudFormation template.
vpc.subnets.ecs nil The subnets the ECS Container Instances are on. So this is where you want your containers to run.
vpc.subnets.elb nil Subnets used by the ELB load balancer. Defaults to same subnets as ECS subnets when not set.
vpc.security_groups.ecs nil Additional security groups to associate with the ECS tasks.
vpc.security_groups.elb nil Additional security groups to associate with the ELB.

See Full Config Reference