Adding Rules to a Security Group

You can add rules for inbound flows to security groups. You can also add rules for outbound flows to security groups for use in a VPC.

Security group rules let you allow flows in a specified protocol and on specified ports, coming from either a single IP or a range of IPs (public, private or External IP), or another security group. When you add a rule to a security group, it is automatically applied to all the instances the security group is associated with.

Adding Rules to a Security Group Using Cockpit v1

  1. Click Network/Security > Security Groups.

  2. Click the security group to which you want to add rules.
    The list of rules of the security group appears.

  3. Click Create Rule .
    The CREATE SECURITY GROUP RULE dialog box appears.

  4. To define a rule, choose the following information:

    • First field: The direction of flows (Inbound or Outbound). Outbound is available only if the security group is for a VPC.

    • Second field: The service (for example, SSH or HTTP). For more information about available services, see About Security Group Rules.

    • Third field: The IP protocol (TCP, UDP, ICMP, Any, or Custom), if applicable.

    • Fourth field: A custom IP protocol, if applicable. For more information about IP protocol numbers, see the IANA.org website.

    • Fifth field: The port numbers or ICMP types, if applicable. This can be:

      • A value

      • A range of values, separated by a dash

      • Multiple values, separated by semicolons

      • -1 for all ICMP types

        Avoid opening flows on all ports (1-65535), as it prevents you from effectively controlling them. Only open flows on the ports you need.

    • Sixth field: The target of the rule. This can be:

      • An IP in CIDR notation

      • A range of IPs in CIDR notation

      • Another security group, specified by ID or name

        If the button My IP does not work, check if a browser extension is blocking scripts on the page.

  5. When you are ready to add the rule, click .

    Repeat Steps 4-5 to add multiple rules at once.

  6. Click Create to validate.
    The rule or rules are added to the security group.

Adding Inbound or Outbound Rules to a Security Group Using Cockpit v2-beta

  1. In the Security Groups dashboard, click the ID of the security group to which you want to add rules.
    The security group details panel appears.

  2. Click IconAddFull Create Inbound Rules, or, if applicable, click on the Outbound rules tab and then on IconAddFull Create Outbound Rules.
    The CREATE INBOUND RULES or CREATE OUTBOUND RULES dialog box appears.

  3. To define a rule, choose the following information:

    • Service: The service (for example, SSH or HTTP). For more information about available services, see About Security Group Rules.

    • Protocol: The IP protocol (tcp, udp, icmp, or Any), if applicable.

    • Port/ICMP: The port numbers or ICMP types, if applicable. This can be:

      • One or more values, separated by semicolons

      • A range of values, separated by a dash

      • For TCP and UDP: a single port number between 0 and 65535, or a range of port numbers.

      • For ICMP: a single type number between 0 and 255, or a type number and code number, or -1 to indicate all ICMP types.

        Avoid opening flows on all ports (1-65535), as it prevents you from effectively controlling them. Only open flows on the ports you need.

    • IP range/Security group: The target of the rule. This can be:

      • An IP in CIDR notation

      • A range of IPs in CIDR notation

      • Another security group, specified by ID or name

  4. To create multiple rules at once, click IconAddFull Add Rule and repeat Step 3.

  5. Click Create Inbound Rules to validate.
    The rule or rules are added to the security group.

Adding Rules to a Security Group Using AWS CLI

Adding Inbound Flows Rules to a Security Group

To add one or more rules for inbound flows, use the authorize-security-group-ingress command following this syntax:

Request sample
$ aws ec2 authorize-security-group-ingress \
    --profile YOUR_PROFILE \
    --group-name my-security-group \
    [--group-id NOT_SPECIFIED] \
    [--protocol NOT_SPECIFIED] \
    [--port NOT_SPECIFIED] \
    [--cidr NOT_SPECIFIED] \
    [--source-group NOT_SPECIFIED] \
    [--group-owner NOT_SPECIFIED] \
    --ip-permissions "[ \
                        { \
                        \"IpProtocol\": \"tcp\", \
                        \"FromPort\": 22, \
                        \"ToPort\": 22, \
                        \"IpRanges\": [ \
                                        { \
                                        \"CidrIp\": \"10.0.0.0/16\" \
                                        } \
                                      ], \
                        \"UserIdGroupPairs\": [ \
                                                { \
                                                \"UserId\": \"123456789000\", \
                                                \"GroupName\": \"dev-sg\", \
                                                \"GroupId\": \"sg-87654321\" \
                                                } \
                                              ] \
                        } \
                      ]" \
    --endpoint https://fcu.eu-west-2.outscale.com

This command contains the following attributes that you need to specify:

  • (optional) profile: The named profile you want to use, created when configuring AWS CLI. For more information, see Installing and Configuring AWS CLI.

  • (optional) group-name: The name of the security group, if you are in the public Cloud.

  • (optional) group-id: The ID of the security group.

    Among the following attributes, you need to specify either:

    • the protocol, port, and cidr attributes

    • the protocol, port, source-group, and group-owner attributes

    • the ip-permissions attribute

  • (optional) protocol: The IP protocol name (tcp, udp, icmp, or -1 for all protocols). By default, -1. In a VPC, this can also be an IP protocol number. For more information, see the IANA.org website.

  • (optional) port: The port as a single integer or range of ports in the min-max format for TCP and UDP protocols, or an ICMP type number and code in the type-code format (-1 to indicate all ICMP types).

  • (optional) cidr: The range of IPs you want to allow, in CIDR notation (/32 prefix for a single IP).

  • (optional) source-group: The name or ID of the source security group from which you want to allow flows.

  • (optional) group-owner: The account ID of the owner of the source security group, if it belongs to another account.

  • (optional) ip-permissions: A set of permissions that can be used to add several rules in the same request. This attribute contains the following elements that you need to specify:

    • (optional) IpProtocol: The IP protocol name (tcp, udp, icmp, or -1 for all protocols). By default, -1. In a VPC, this can also be an IP protocol number. For more information, see the IANA.org website.

    • (optional) FromPort: The beginning of the port range for the TCP and UDP protocols, or an ICMP type number (-1 to indicate all ICMP types).

    • (optional) ToPort: The end of port range for the TCP and UDP protocols, or an ICMP code number (-1 to indicate all ICMP codes).

    • (optional) IpRanges: One or more IP ranges.

      • (optional) CidrIp: The range of IPs.

    • (optional) UserIdGroupPairs: Information about one or more accounts and security groups to allow flows from security groups of other accounts. This attribute contains the following elements that you need to specify:

      • (optional) UserId: The account ID of the owner of the referenced security group.

      • (optional) GroupName: The name of the referenced security group.

      • (optional) GroupId: The ID of the referenced security group.

  • endpoint: The endpoint corresponding to the Region you want to send the request to.

The specified inbound rules are added to the security group.

(VPC only) Adding Outbound Flows Rules to a Security Group

To add one or more rules for outbound flows, use the authorize-security-group-egress command following this syntax:

Request sample
$ aws ec2 authorize-security-group-egress \
    --profile YOUR_PROFILE \
    --group-id my-security-group \
    [--protocol NOT_SPECIFIED] \
    [--port NOT_SPECIFIED] \
    [--cidr NOT_SPECIFIED] \
    [--source-group NOT_SPECIFIED] \
    [--group-owner NOT_SPECIFIED] \
    --ip-permissions "[ \
                        { \
                        \"IpProtocol\": \"tcp\", \
                        \"FromPort\": 22, \
                        \"ToPort\": 22, \
                        \"IpRanges\": [ \
                                        { \
                                        \"CidrIp\": \"10.0.0.0/16\" \
                                        } \
                                      ], \
                        \"UserIdGroupPairs\": [ \
                                                { \
                                                \"UserId\": \"123456789000\", \
                                                \"GroupName\": \"dev-sg\", \
                                                \"GroupId\": \"sg-87654321\" \
                                                } \
                                              ], \
                        \"PrefixListIds\": [ \
                                             { \
                                             \"PrefixListId\": \"pl-12345678\" \
                                             } \
                                           ] \
                        } \
                      ]" \
    --endpoint https://fcu.eu-west-2.outscale.com

This command contains the following attributes that you need to specify:

  • (optional) profile: The named profile you want to use, created when configuring AWS CLI. For more information, see Installing and Configuring AWS CLI.

  • group-id: The ID of the security group.

    Among the following attributes, you need to specify either:

    • the protocol, port, and cidr attributes

    • the protocol, port, source-group, and group-owner attributes

    • the ip-permissions attribute

  • (optional) protocol: The IP protocol name (tcp, udp, icmp, or -1 for all protocols). By default, -1. In a VPC, this can also be an IP protocol number. For more information, see the IANA.org website.

  • (optional) port: The port as a single integer or range of ports in the min-max format for TCP and UDP protocols, or an ICMP type number and code in the type-code format (-1 to indicate all ICMP types).

  • (optional) cidr: The range of IPs you want to allow, in CIDR notation (/32 prefix for a single IP).

  • (optional) source-group: The name or ID of the source security group from which you want to allow flows.

  • (optional) group-owner: The account ID of the owner of source security group, if it belongs to another account.

  • (optional) ip-permissions: A set of permissions that can be used to add several rules in the same request. This attribute contains the following elements that you need to specify:

    • (optional) IpProtocol: The IP protocol name (tcp, udp, icmp, or -1 for all protocols). By default, -1. In a VPC, this can also be an IP protocol number. For more information, see the IANA.org website.

    • (optional) FromPort: The beginning of the port range for the TCP and UDP protocols, or an ICMP type number (-1 to indicate all ICMP types).

    • (optional) ToPort: The end of port range for the TCP and UDP protocols, or an ICMP code number (-1 to indicate all ICMP codes).

    • (optional) IpRanges: One or more IP ranges.

      • (optional) CidrIp: The range of IPs.

    • (optional) UserIdGroupPairs: Information about one or more accounts and security groups to allow flows to security groups of other accounts. This attribute contains the following elements that you need to specify:

      • (optional) UserId: The account ID of the owner of the referenced security group.

      • (optional) GroupName: The name of the referenced security group.

      • (optional) GroupId: The ID of the referenced security group.

    • (optional) PrefixListIds: One or more prefix list IDs. For more information, see Getting Information About Prefix Lists.

      • (optional) PrefixListId: The ID of a prefix list.

  • endpoint: The endpoint corresponding to the Region you want to send the request to.

The specified outbound rules are added to the security group.

Related Pages

Corresponding API Methods

AWS™ and Amazon Web Services™ are trademarks of Amazon Technologies, Inc or its affiliates in the United States and/or other countries.