Home > Storage > PowerScale (Isilon) > Product Documentation > Cloud > APEX File Storage for AWS: Deployment Guide > Create an external security group
A security group is required to apply to the OneFS cluster external network interfaces.
aws ec2 create-security-group --vpc-id <aws_vpc_id> --group-name <cluster_name>-external-sg --region <aws_region> --tag-specifications "ResourceType=security-group,Tags=[{Key=cluster-name,Value=<cluster_name>}]" --description “External security group for OneFS cluster <cluster_name>”
Below is an example to create the external security group. Write down the GroupId in the output.
> aws ec2 create-security-group --vpc-id vpc-06639db65d7446720 --group-name vonefs-cfv-external-sg --region us-east-1 --tag-specifications "ResourceType=security-group,Tags=[{Key=cluster-name,Value=vonefs-cfv}]" --description "External security group for OneFS cluster vonefs-cfv"
Command output example:
{
"GroupId": "sg-0f43cc7cb8a51cff1"
"Tags": [
{
"Key": "cluster-name",
"Value": "vonefs-cfv"
}
]
}
aws ec2 authorize-security-group-ingress --group-id <sg-id> --cidr=<gateway>/32 --port 67 --protocol udp --region us-east-1
aws ec2 authorize-security-group-ingress --group-id sg-0f43cc7cb8a51cff1 --cidr=0.0.0.0/0 --port 3-4 --protocol icmp --region us-east-1aws ec2 authorize-security-group-ingress --group-id sg-0f43cc7cb8a51cff1 --cidr=0.0.0.0/0 --port 22 --protocol tcp --region us-east-1
aws ec2 authorize-security-group-ingress --group-id sg-0f43cc7cb8a51cff1 --cidr=0.0.0.0/0 --port 53 --protocol tcp --region us-east-1
aws ec2 authorize-security-group-ingress --group-id sg-0f43cc7cb8a51cff1 --cidr=0.0.0.0/0 --port 53 --protocol udp --region us-east-1
aws ec2 authorize-security-group-ingress --group-id sg-0f43cc7cb8a51cff1 --cidr=0.0.0.0/0 --port 111 --protocol tcp --region us-east-1
aws ec2 authorize-security-group-ingress --group-id sg-0f43cc7cb8a51cff1 --cidr=0.0.0.0/0 --port 111 --protocol udp --region us-east-1
aws ec2 authorize-security-group-ingress --group-id sg-0f43cc7cb8a51cff1 --cidr=0.0.0.0/0 --port 135 --protocol tcp --region us-east-1
aws ec2 authorize-security-group-ingress --group-id sg-0f43cc7cb8a51cff1 --cidr=0.0.0.0/0 --port 135 --protocol udp --region us-east-1
aws ec2 authorize-security-group-ingress --group-id sg-0f43cc7cb8a51cff1 --cidr=0.0.0.0/0 --port 300 --protocol tcp --region us-east-1
aws ec2 authorize-security-group-ingress --group-id sg-0f43cc7cb8a51cff1 --cidr=0.0.0.0/0 --port 300 --protocol udp --region us-east-1
aws ec2 authorize-security-group-ingress --group-id sg-0f43cc7cb8a51cff1 --cidr=0.0.0.0/0 --port 302 --protocol tcp --region us-east-1
aws ec2 authorize-security-group-ingress --group-id sg-0f43cc7cb8a51cff1 --cidr=0.0.0.0/0 --port 302 --protocol udp --region us-east-1
aws ec2 authorize-security-group-ingress --group-id sg-0f43cc7cb8a51cff1 --cidr=0.0.0.0/0 --port 304 --protocol tcp --region us-east-1
aws ec2 authorize-security-group-ingress --group-id sg-0f43cc7cb8a51cff1 --cidr=0.0.0.0/0 --port 304 --protocol udp --region us-east-1
aws ec2 authorize-security-group-ingress --group-id sg-0f43cc7cb8a51cff1 --cidr=0.0.0.0/0 --port 305 --protocol tcp --region us-east-1
aws ec2 authorize-security-group-ingress --group-id sg-0f43cc7cb8a51cff1 --cidr=0.0.0.0/0 --port 305 --protocol udp --region us-east-1
aws ec2 authorize-security-group-ingress --group-id sg-0f43cc7cb8a51cff1 --cidr=0.0.0.0/0 --port 443 --protocol tcp --region us-east-1
aws ec2 authorize-security-group-ingress --group-id sg-0f43cc7cb8a51cff1 --cidr=0.0.0.0/0 --port 445 --protocol tcp --region us-east-1
aws ec2 authorize-security-group-ingress --group-id sg-0f43cc7cb8a51cff1 --cidr=0.0.0.0/0 --port 2049 --protocol tcp --region us-east-1
aws ec2 authorize-security-group-ingress --group-id sg-0f43cc7cb8a51cff1 --cidr=0.0.0.0/0 --port 8080 --protocol tcp --region us-east-1
aws ec2 authorize-security-group-ingress --group-id sg-0f43cc7cb8a51cff1 --cidr=0.0.0.0/0 --port 9020 --protocol tcp --region us-east-1
aws ec2 authorize-security-group-ingress --group-id sg-0f43cc7cb8a51cff1 --cidr=0.0.0.0/0 --port 9021 --protocol tcp --region us-east-1