To create a security group for instances in your private subnet, follow these steps:
- From within the EC2 console, select Security Group on the menu on the left and select the blue Create Security Group button.
- Configure the security group as shown here:
- For the first and second rules, use the private IP address of your NAT gateway. For the third rule, use the security group ID of the Public_Security_Group security group you created in the previous step.
- Leave the outbound rules as the default and select Create.
This security group allows HTTP and HTTPS inbound from the NAT gateway. This will allow any instances in the private subnet to be able to update their operating system (once a route has been provisioned). This security group also allows all TCP traffic from Public_Security_Group.
Now our security groups are configured, we can create our EC2 instances and associate these security groups with our instances.