diff --git a/pkg/model/bastion.go b/pkg/model/bastion.go
index f5a0b86f1a..47f75305b3 100644
--- a/pkg/model/bastion.go
+++ b/pkg/model/bastion.go
@@ -43,38 +43,42 @@ type BastionModelBuilder struct {
 var _ fi.ModelBuilder = &BastionModelBuilder{}
 
 func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error {
-	var bastionGroups []*kops.InstanceGroup
+	var bastionInstanceGroups []*kops.InstanceGroup
 	for _, ig := range b.InstanceGroups {
 		if ig.Spec.Role == kops.InstanceGroupRoleBastion {
-			bastionGroups = append(bastionGroups, ig)
+			bastionInstanceGroups = append(bastionInstanceGroups, ig)
 		}
 	}
 
-	if len(bastionGroups) == 0 {
+	if len(bastionInstanceGroups) == 0 {
 		return nil
 	}
 
-	// Create security group for bastion instances
-	{
-		t := &awstasks.SecurityGroup{
-			Name:      s(b.SecurityGroupName(kops.InstanceGroupRoleBastion)),
-			Lifecycle: b.SecurityLifecycle,
-
-			VPC:              b.LinkToVPC(),
-			Description:      s("Security group for bastion"),
-			RemoveExtraRules: []string{"port=22"},
-		}
-		t.Tags = b.CloudTags(*t.Name, false)
-		c.AddTask(t)
+	bastionGroups, err := b.GetSecurityGroups(kops.InstanceGroupRoleBastion)
+	if err != nil {
+		return err
+	}
+	nodeGroups, err := b.GetSecurityGroups(kops.InstanceGroupRoleNode)
+	if err != nil {
+		return err
+	}
+	masterGroups, err := b.GetSecurityGroups(kops.InstanceGroupRoleMaster)
+	if err != nil {
+		return err
 	}
 
-	// Allow traffic from bastion instances to egress freely
-	{
-		t := &awstasks.SecurityGroupRule{
-			Name:      s("bastion-egress"),
-			Lifecycle: b.SecurityLifecycle,
+	// Create security group for bastion instances
+	for _, bastionGroup := range bastionGroups {
+		bastionGroup.Task.Lifecycle = b.SecurityLifecycle
+		c.AddTask(bastionGroup.Task)
+	}
 
-			SecurityGroup: b.LinkToSecurityGroup(kops.InstanceGroupRoleBastion),
+	for _, src := range bastionGroups {
+		// Allow traffic from bastion instances to egress freely
+		t := &awstasks.SecurityGroupRule{
+			Name:          s("bastion-egress" + src.Suffix),
+			Lifecycle:     b.SecurityLifecycle,
+			SecurityGroup: src.Task,
 			Egress:        fi.Bool(true),
 			CIDR:          s("0.0.0.0/0"),
 		}
@@ -83,12 +87,11 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error {
 
 	// Allow incoming SSH traffic to bastions, through the ELB
 	// TODO: Could we get away without an ELB here?  Tricky to fix if dns-controller breaks though...
-	{
+	for _, dest := range bastionGroups {
 		t := &awstasks.SecurityGroupRule{
-			Name:      s("ssh-elb-to-bastion"),
-			Lifecycle: b.SecurityLifecycle,
-
-			SecurityGroup: b.LinkToSecurityGroup(kops.InstanceGroupRoleBastion),
+			Name:          s("ssh-elb-to-bastion" + dest.Suffix),
+			Lifecycle:     b.SecurityLifecycle,
+			SecurityGroup: dest.Task,
 			SourceGroup:   b.LinkToELBSecurityGroup(BastionELBSecurityGroupPrefix),
 			Protocol:      s("tcp"),
 			FromPort:      i64(22),
@@ -98,33 +101,35 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error {
 	}
 
 	// Allow bastion nodes to SSH to masters
-	{
-		t := &awstasks.SecurityGroupRule{
-			Name:      s("bastion-to-master-ssh"),
-			Lifecycle: b.SecurityLifecycle,
-
-			SecurityGroup: b.LinkToSecurityGroup(kops.InstanceGroupRoleMaster),
-			SourceGroup:   b.LinkToSecurityGroup(kops.InstanceGroupRoleBastion),
-			Protocol:      s("tcp"),
-			FromPort:      i64(22),
-			ToPort:        i64(22),
+	for _, src := range bastionGroups {
+		for _, dest := range masterGroups {
+			t := &awstasks.SecurityGroupRule{
+				Name:          s("bastion-to-master-ssh" + JoinSuffixes(src, dest)),
+				Lifecycle:     b.SecurityLifecycle,
+				SecurityGroup: dest.Task,
+				SourceGroup:   src.Task,
+				Protocol:      s("tcp"),
+				FromPort:      i64(22),
+				ToPort:        i64(22),
+			}
+			c.AddTask(t)
 		}
-		c.AddTask(t)
 	}
 
 	// Allow bastion nodes to SSH to nodes
-	{
-		t := &awstasks.SecurityGroupRule{
-			Name:      s("bastion-to-node-ssh"),
-			Lifecycle: b.SecurityLifecycle,
-
-			SecurityGroup: b.LinkToSecurityGroup(kops.InstanceGroupRoleNode),
-			SourceGroup:   b.LinkToSecurityGroup(kops.InstanceGroupRoleBastion),
-			Protocol:      s("tcp"),
-			FromPort:      i64(22),
-			ToPort:        i64(22),
+	for _, src := range bastionGroups {
+		for _, dest := range nodeGroups {
+			t := &awstasks.SecurityGroupRule{
+				Name:          s("bastion-to-node-ssh" + JoinSuffixes(src, dest)),
+				Lifecycle:     b.SecurityLifecycle,
+				SecurityGroup: dest.Task,
+				SourceGroup:   src.Task,
+				Protocol:      s("tcp"),
+				FromPort:      i64(22),
+				ToPort:        i64(22),
+			}
+			c.AddTask(t)
 		}
-		c.AddTask(t)
 	}
 
 	// Create security group for bastion ELB
@@ -173,7 +178,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error {
 	var elbSubnets []*awstasks.Subnet
 	{
 		zones := sets.NewString()
-		for _, ig := range bastionGroups {
+		for _, ig := range bastionInstanceGroups {
 			subnets, err := b.GatherSubnets(ig)
 			if err != nil {
 				return err
@@ -231,7 +236,7 @@ func (b *BastionModelBuilder) Build(c *fi.ModelBuilderContext) error {
 		c.AddTask(elb)
 	}
 
-	for _, ig := range bastionGroups {
+	for _, ig := range bastionInstanceGroups {
 		// We build the ASG when we iterate over the instance groups
 
 		// Attach the ELB to the ASG
diff --git a/pkg/model/firewall.go b/pkg/model/firewall.go
index 7baa1e6cf5..608c86587d 100644
--- a/pkg/model/firewall.go
+++ b/pkg/model/firewall.go
@@ -411,7 +411,7 @@ type SecurityGroupInfo struct {
 func (b *KopsModelContext) createSecurityGroups(role kops.InstanceGroupRole, lifecycle *fi.Lifecycle, c *fi.ModelBuilderContext) ([]SecurityGroupInfo, error) {
 	var baseGroup *awstasks.SecurityGroup
 	if role == kops.InstanceGroupRoleMaster {
-		name := "masters." + b.ClusterName()
+		name := b.SecurityGroupName(role)
 		baseGroup = &awstasks.SecurityGroup{
 			Name:        s(name),
 			Lifecycle:   lifecycle,
@@ -431,9 +431,9 @@ func (b *KopsModelContext) createSecurityGroups(role kops.InstanceGroupRole, lif
 				// TODO: Protocol 4 for calico
 			},
 		}
-		baseGroup.Tags = b.CloudTags(*baseGroup.Name, false)
+		baseGroup.Tags = b.CloudTags(name, false)
 	} else if role == kops.InstanceGroupRoleNode {
-		name := "nodes." + b.ClusterName()
+		name := b.SecurityGroupName(role)
 		baseGroup = &awstasks.SecurityGroup{
 			Name:             s(name),
 			Lifecycle:        lifecycle,
@@ -441,23 +441,17 @@ func (b *KopsModelContext) createSecurityGroups(role kops.InstanceGroupRole, lif
 			Description:      s("Security group for nodes"),
 			RemoveExtraRules: []string{"port=22"},
 		}
-		baseGroup.Tags = b.CloudTags(*baseGroup.Name, false)
+		baseGroup.Tags = b.CloudTags(name, false)
 	} else if role == kops.InstanceGroupRoleBastion {
-		return nil, fmt.Errorf("bastion are not supported yet with instancegroup securitygroup")
-		/*
-			// TODO use this instead of the hardcoded names??
-			// b.SecurityGroupName(kops.InstanceGroupRoleBastion))
-			// TODO implement
-			name := "bastion." + b.ClusterName()
-			baseGroup = &awstasks.SecurityGroup{
-				Name:             s(name),
-				Lifecycle:        lifecycle,
-				VPC:              b.LinkToVPC(),
-				Description:      s("Security group for bastion"),
-				RemoveExtraRules: []string{"port=22"},
-			}
-			baseGroup.Tags = b.CloudTags(*baseGroup.Name, false)
-		*/
+		name := b.SecurityGroupName(role)
+		baseGroup = &awstasks.SecurityGroup{
+			Name:             s(name),
+			Lifecycle:        lifecycle,
+			VPC:              b.LinkToVPC(),
+			Description:      s("Security group for bastion"),
+			RemoveExtraRules: []string{"port=22"},
+		}
+		baseGroup.Tags = b.CloudTags(name, false)
 	} else {
 		return nil, fmt.Errorf("not a supported security group type")
 	}