AWS Security ChangesHomeSearch

AWS network-manager documentation change

Service: network-manager · 2025-06-13 · Documentation low

File: network-manager/latest/cloudwan/cloudwan-vpc-attachment.md

Summary

Added documentation for DNS support and security group referencing features in Cloud WAN, including configuration details, capabilities, and limitations.

Security assessment

The changes document security-related features (security group referencing) but do not address a specific security vulnerability. The additions explain how to use security group rules with cross-VPC references, which improves security management but does not indicate a resolved security issue.

Diff

diff --git a/network-manager/latest/cloudwan/cloudwan-vpc-attachment.md b/network-manager/latest/cloudwan/cloudwan-vpc-attachment.md
index b74f434cb..af0380cd1 100644
--- a//network-manager/latest/cloudwan/cloudwan-vpc-attachment.md
+++ b//network-manager/latest/cloudwan/cloudwan-vpc-attachment.md
@@ -5 +5 @@
-Appliance mode
+Appliance modeDNS supportSecurity group referencing
@@ -45,0 +46,48 @@ When traffic flows from a source Availability Zone in us-east-1a to a destinatio
+## DNS support
+
+DNS support in Cloud WAN enables the resolution of public DNS host names to private IP addresses when queried across VPCs attached to the same core network edge similar to the DNS resolution capability available for transit gateways. This feature is enabled by default in your core network and can be configured in your core network policy by setting the `dns-support` parameter to either `true` or `false`, with the setting applying to all core network edges in the core network. You can view your DNS support configuration through the console in the core network policy or by using the [`get-core-network`](https://docs.aws.amazon.com/cli/latest/reference/networkmanager/get-core-network.html) command. 
+
+###### Note
+
+DNS support only works between VPCs attached to the same core network edge and does not function across different regions or between VPCs attached to different core network edges.
+
+## Security group referencing
+
+You can configure security groups by specifying a list of rules that allow network traffic based on criteria such as IP CIDRs, prefix lists, ports and security group referencing. Security group referencing allows you to specify other security groups as references, or matching criterion in inbound security rules to allow instance-to-instance traffic. With this capability, you do not need to reconfigure security rules as applications scale up or down or if their IP addresses change. Rules with security group references also provide higher scale as a single rule can cover thousands of instances and prevents you from over-running security group rule limits.
+
+Security group referencing is a regional feature for Cloud WAN, meaning VPCs must be connected to the same core network edge for this feature to work. When you create a VPC attachment, Cloud WAN automatically enables security group referencing for VPCs attached to the same core network edge.
+
+###### Note
+
+Security group referencing is enabled by default at the attachment level but disabled by default at the core network level.
+
+With security group referencing support in Cloud WAN, you can:
+
+  * Reference security groups across VPCs connected to the same core network edge
+
+  * Simplify security group management for applications that span multiple VPCs
+
+  * Maintain security group references even as instances scale up or down
+
+  * Reduce the number of security group rules needed for cross-VPC communication
+
+
+
+
+### Limitations
+
+The following limitations apply to security group referencing in Cloud WAN:
+
+  * Security group referencing only works between VPCs attached to the same core network edge. It does not work across different regions or between VPCs attached to different core network edges.
+
+  * Security group referencing is not supported for VPC attachments in the use1-az3 Availability Zone . 
+
+  * Security group referencing is not supported for AWS PrivateLink endpoints. We recommend using IP CIDR-based security rules as an alternative.
+
+  * Security group referencing works for Elastic File System (EFS) as long as an allow all egress security group rule is configured for the EFS interfaces in the VPC.
+
+  * Security group referencing support can be configured for both core network and VPC attachments and will only work if it has been enabled for both a core network and its VPC attachments.
+
+
+
+