AWS Bootstrap with predefined Security Group


Is there a workaround to telling Juju to use a predefined security group on an AWS bootstrap? Due to permissions constraints/etc. our automation needs to work with predefined security groups that are made manually.

Something like:

juju bootstrap --config vpc-id-force=true --config vpc-id=vpc-for-juju --to “subnet=subnet-for-juju” --constraints “security-group-ids=sgs-for-juju” aws

… would be ideal, but this is not the case.

Is there a workaround for this? Is there a manner to request the above? I believe this would be helpful for those working in constricted environments.


1 Like

This is not possible at present.

Juju sets up:

  • A model-level security group, named juju-<model UUID>-global for all Juju-related traffic
  • A security group for each machine, named juju-<model UUID>-<machine ID>, which is recognised by Juju’s firewaller and used to expose applications.

@manadart I am just starting to use AWS with juju for the first time… if I was super paranoid about security and wanted to lock down or start with the more hardened VPC… does that security group you mentioned start as restricted JUST to what it i needs to talk to JUJU controller and grab resources like apt install npm install etc…? or is everything pretty wide open and I should craft my own VPC for prod which is restricted from the jump… and juju will handle what it needs to do to install…


I did some googling and found what looks to be a terrific primer on AWS VPCs and basic networking from 10K ft… so I plan next to create a Development and Production VPC… each will look sort of like this diagram

What I am researching next is… how do I constrain some of my machines to 1 subnet… and another set of machines to the other subnet. guessing I utilize juju spaces somehow … so researching that now