> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Security groups in AWS

> Instructions for creating and configuring AWS security groups for VAP access.

In AWS, a security group acts as a virtual firewall for your EC2 instances to control incoming and outgoing traffic. As VirtuCrypt processes secure information, we recommend creating a new security group to assign to the VAP. To create a new security group, perform the following steps:

<Steps>
  <Step>
    Go to the **Network & Security** section in the left-side menu of the AWS Console and select **Security Groups**.
  </Step>

  <Step>
    Select **\[ Create security group ]**.
  </Step>

  <Step>
    Fill in the requested fields. The drop-down list for **VPC** displays your organization's internal VPCs. The VPC you select connects to the VAP.
  </Step>

  <Step>
    Add an **Inbound rule** to the security group by selecting **\[ Add rule ]**.

    Security groups allow you to enforce rules with a high degree of granularity.

    Proceed with one of the following options, depending on your organization's security requirements.

    * **Option A**: Referencing the following example, create an inbound rule:
      * Select **All traffic** from the type drop-down list.
      * The protocol and port range default to **All**.
      * The custom IP is VPC subnets for your organization (we recommend a minimum of three), as created earlier in the guide.

    <Frame caption="Create a Security Group - Option A">
      <img src="https://mintcdn.com/futurex-a224dff3/gi2ge3enxbvcbz2E/images/VirtuCrypt_Integrations/create_a_security_group_option_a.png?fit=max&auto=format&n=gi2ge3enxbvcbz2E&q=85&s=c7da84788728cfe031bf579e7e911e44" alt="Create a Security Group - Option A" width="1451" height="290" data-path="images/VirtuCrypt_Integrations/create_a_security_group_option_a.png" />
    </Frame>

    * **Option B**: This choice is more granular, and therefore, more secure, because it also includes custom port ranges that Futurex provides. Referencing the following example, create an inbound rule.
      * Select **Custom TCP** from the **Type** drop-down list.
      * The protocol defaults to TCP.
      * Futurex creates the port range, and your Futurex representative share it in an email.
      * The custom IP address is one of the VPC subnets for your organization, created earlier in the guide. The difference from Option A is that you must create separate rules for each subnet instead of including all thrree subnets in one rule.

    <Frame caption="Creating a Security Group - Option B">
      <img src="https://mintcdn.com/futurex-a224dff3/gi2ge3enxbvcbz2E/images/VirtuCrypt_Integrations/creating_a_security_group_option_b.png?fit=max&auto=format&n=gi2ge3enxbvcbz2E&q=85&s=c0f3d9ad03dbd5198e4b0fe4feebc52b" alt="Creating a Security Group - Option B" width="1471" height="366" data-path="images/VirtuCrypt_Integrations/creating_a_security_group_option_b.png" />
    </Frame>
  </Step>

  <Step>
    The **Outbound rules** l default to allow all traffic. You can customize or adjust the outbound rule per your organizational policies.
  </Step>

  <Step>
    (Optional) Add tags to the security group.
  </Step>

  <Step>
    Select\*\*\[ Create security group ]\*\*.
  </Step>

  <Step>
    Return to the **VPC** service and go to the **Endpoints** menu.
  </Step>

  <Step>
    Select your newly created endpoint so that it is highlighted in blue. Go to the **Security Groups** tab, and select **\[ Edit Security Groups ]**.
  </Step>

  <Step>
    You can add to or replace the security group associated with the endpoint from the search bar.

    <Note>
      You can associate multiple security groups with a single endpoint.
    </Note>

    After you finish making changes to the security group(s), select **\[ Save ]**.
  </Step>
</Steps>