kubernetes-sigs · kishorj · Feb 18, 2021 · Feb 5, 2021
diff --git a/docs/deploy/upgrade/migrate_v1_v2.md b/docs/deploy/upgrade/migrate_v1_v2.md
@@ -25,6 +25,10 @@ It supports existing AWS resources provisioned by AWSALBIngressController(>=v1.1
             * The AWSALBIngressController didn't add any description for that inbound rule.
             * The AWSLoadBalancerController will use `elbv2.k8s.aws/targetGroupBinding=shared` for that inbound rule
         * You'll need to manually add `elbv2.k8s.aws/targetGroupBinding=shared` description to that inbound rule so that AWSLoadBalancerController can delete such rule when you delete your Ingress.
+            * The following shell pipeline can be used to update the rules automatically. Replace `$REGION` and `$SG_ID` with your own values. After running it change `DryRun: true` to `DryRun: false` to have it actually update your security group:
+              ```
+              aws --region $REGION ec2 update-security-group-rule-descriptions-ingress --cli-input-json "$(aws --region $REGION ec2 describe-security-groups --group-ids $SG_ID | jq '.SecurityGroups[0] | {DryRun: true, GroupId: .GroupId ,IpPermissions: (.IpPermissions | map(select(.FromPort==0 and .ToPort==65535) | .UserIdGroupPairs |= map(.Description="elbv2.k8s.aws/targetGroupBinding=shared"))) }' -M)"
+              ```
 
     !!!tip "sample"
         inbound rule on worker node securityGroups that allow traffic from the managed LB securityGroup before migration: