If you look at the default VPC in your AWS account, you'll notice there's also a default Security Group. It includes an inbound rule that allows all traffic from itself, a self-referencing rule. This means that any resources with this Security Group attached would be able to communicate with each other over the allowed protocols and ports.
<img src="https://assets.benellis.cloud/images/selfrefsecgroup/DefaultSecurityGroup.jpg" alt class="image--center mx-auto" />
It wasn't immediately obvious to me how to accomplish this via the CDK. It turns out, it's pretty simple. The first argument of the <code>addIngressRule()</code> method on the <code>SecurityGroup</code> takes an <code>IPeer</code>. <code>SecurityGroup</code> implements <code>IPeer</code>, so it is as simple as passing itself in as the first argument.
<pre><code class="lang-typescript">const selfRefSg = new SecurityGroup(this, "SelfRefSg", {
 vpc,
 allowAllOutbound: true,
})

selfRefSg.addIngressRule(
 selfRefSg,
 Port.allTraffic(),
 "allow local VPC traffic",
)
</code></pre>
After running a <code>cdk deploy</code>:
<img src="https://assets.benellis.cloud/images/selfrefsecgroup/SelfRefRule.png" alt class="image--center mx-auto" />
For a full example, check out the <a target="_blank" href="https://github.com/benb1n/SelfRefSecurityGroupsCDK">GitHub repo</a> I put together.

If you look at the default VPC in your AWS account, you'll notice there's also a default Security Group. It includes an inbound rule that allows all traffic from itself, a self-referencing rule. This means that any resources with this Security Group attached would be able to communicate with each other over the allowed protocols and ports.

![](https://assets.benellis.cloud/images/selfrefsecgroup/DefaultSecurityGroup.jpg align="center")

It wasn't immediately obvious to me how to accomplish this via the CDK. It turns out, it's pretty simple. The first argument of the `addIngressRule()` method on the `SecurityGroup` takes an `IPeer`. `SecurityGroup` implements `IPeer`, so it is as simple as passing itself in as the first argument.

```typescript
const selfRefSg = new SecurityGroup(this, "SelfRefSg", {
  vpc,
  allowAllOutbound: true,
})

selfRefSg.addIngressRule(
  selfRefSg,
  Port.allTraffic(),
  "allow local VPC traffic",
)
```

After running a `cdk deploy`:

![](https://assets.benellis.cloud/images/selfrefsecgroup/SelfRefRule.png align="center")

For a full example, check out the [GitHub repo](https://github.com/benb1n/SelfRefSecurityGroupsCDK) I put together.

A quick walk-through of creating a self-referencing Security Group rule in your VPC via the AWS CDK

How to Add a Self-Referencing Security Group Rule via the AWS CDK

I’m a software engineer turned cloud architect who is passionate about building right-sized, scalable solutions using the best of the cloud.


Ben Ellis on Cloud Development

Ben Ellis on Cloud Development

How to Add a Self-Referencing Security Group Rule via the AWS CDK