Comment 2 for bug 1216644

We're not likely to be able to fix this easily until we've done more work on the networking model (which *is* scheduled in the next few months). Using ec2-api-tools directly would indeed let you modify the security groups out of band, and is surely more amenable to automation than using the console, but still doesn't feel all that helpful.

The workaround right now would be to use "firewall-mode: global" in your environment config, and to manually (console or ec2-api-tools) open the desired range on the single shared security group when you bootstrap (or first deploy this service, or whatever); but this demands (1) a fresh environment, because firewall-mode is immutable and (2) a sanguine attitude to having those ports opened on *all* your instances, not just instances of this service. Does this help at all?