Adding Rules to a Security Group

You can add rules for inbound flows to security groups. You can also add rules for outbound flows to security groups for use in a Net.

Security group rules let you allow flows in a specified protocol and on specified ports, coming from either a single IP or a range of IPs (public, private or public IP), or another security group. When you add a rule to a security group, it is automatically applied to all the virtual machines (VMs) the security group is associated with.

Adding Rules to a Security Group Using Cockpit v2

In the Security Groups dashboard, click the ID of the security group to which you want to add rules.
The security group details panel appears.
Click Create to add an inbound rule, or, if applicable, click on the Outbound rules tab and then on Create.
The CREATE INBOUND RULES or CREATE OUTBOUND RULES dialog box appears.
To define a rule, choose the following information:
- Service: The service (for example, SSH or HTTP). For more information about available services, see About Security Group Rules.
- Protocol: The IP protocol (tcp, udp, icmp, or Any), if applicable.
- Port/ICMP: The port numbers or ICMP types, if applicable. This can be:
  - One or more values, separated by semicolons
  - A range of values, separated by a dash
  - For TCP and UDP: a single port number between 0 and 65535, or a range of port numbers.
  - For ICMP: a single type number between 0 and 255, or a type number and code number, or -1 to indicate all ICMP types.
    
    Avoid opening flows on all ports (1-65535), as it prevents you from effectively controlling them. Only open flows on the ports you need.
- IP range/Security group: The target of the rule. This can be:
  - An IP in CIDR notation
  - A range of IPs in CIDR notation
  - Another security group, specified by ID or name
    
    If the button My IP does not work, check if a browser extension is blocking scripts on the page.
To create multiple rules at once, click Add Rule and repeat Step 3.
Click Create.
The rule or rules are added to the security group.

Adding Rules to a Security Group Using OSC CLI

The CreateSecurityGroupRule command adds one or more rules to a security group.
Use the SecurityGroupId parameter to specify the security group for which you want to create a rule.
Use the Flow parameter to specify if you want an inbound rule or an outbound rule.

An inbound rule allows the security group to receive traffic:

Either from a specific IP range (IpRange parameter) on a specific port range (FromPortRange and ToPortRange parameters) and specific protocol (IpProtocol parameter).
Or from another specific security group (SecurityGroupAccountIdToLink and SecurityGroupNameToLink parameters).

(Net only) An outbound rule works similarly but allows the security group to send traffic rather than receive traffic.

Alternatively, you can use the Rules parameter to add several rules at the same time.

The modifications are effective as quickly as possible, but a small delay may occur.
By default, traffic between two security groups is allowed through both public and private IPs. To restrict traffic to private IPs only, contact our Support team at support@outscale.com.

For more information, see About Security Group Rules.

Request sample: Creating an inbound rule from an IP range

$ osc-cli api CreateSecurityGroupRule --profile "default" \
    --Flow "Inbound" \
    --SecurityGroupId "sg-12345678" \
    --FromPortRange 80 \
    --ToPortRange 80 \
    --IpProtocol "tcp" \
    --IpRange "10.0.0.0/16"

Request sample: Creating an inbound rule from another security group

$ osc-cli api CreateSecurityGroupRule --profile "default" \
    --Flow "Inbound" \
    --SecurityGroupId "sg-12345678" \
    --Rules '[
        {
          "FromPortRange": 22,
          "ToPortRange": 22,
          "IpProtocol": "tcp",
          "SecurityGroupsMembers": [{"AccountId": "123456789012", "SecurityGroupName": "another-security-group"}],
        },
      ]'

This command contains the following attributes that you need to specify:

DryRun: (optional) If true, checks whether you have the required permissions to perform the action.
Flow: The direction of the flow: Inbound or Outbound. You can specify Outbound for Nets only.
FromPortRange: (optional) The beginning of the port range for the TCP and UDP protocols, or an ICMP type number. If you specify this parameter, you cannot specify the Rules parameter and its subparameters.
IpProtocol: (optional) The IP protocol name (tcp, udp, icmp, or -1 for all protocols). By default, -1. In a Net, this can also be an IP protocol number. For more information, see the IANA.org website. If you specify this parameter, you cannot specify the Rules parameter and its subparameters.
IpRange: (optional) The IP range for the security group rule, in CIDR notation (for example, 10.0.0.0/16). If you specify this parameter, you cannot specify the Rules parameter and its subparameters.
Rules: (optional) Information about the security group rule to create. If you specify this parent parameter and its subparameters, you cannot specify the following parent parameters: FromPortRange, IpProtocol, IpRange, and ToPortRange.
SecurityGroupAccountIdToLink: (optional) The account ID that owns the source or destination security group specified in the SecurityGroupNameToLink parameter.
SecurityGroupId: The ID of the security group for which you want to create a rule.
SecurityGroupNameToLink: (optional) The ID of a source or destination security group that you want to link to the security group of the rule.
ToPortRange: (optional) The end of the port range for the TCP and UDP protocols, or an ICMP code number. If you specify this parameter, you cannot specify the Rules parameter and its subparameters.

The CreateSecurityGroupRule command returns the following elements:

ResponseContext: Information about the context of the response.
SecurityGroup: Information about the security group.

Result sample: Creating an inbound rule from an IP range

{
  "SecurityGroup": {
    "Tags": [],
    "SecurityGroupName": "security-group-example",
    "OutboundRules": [
      {
        "FromPortRange": -1,
        "IpProtocol": "-1",
        "ToPortRange": -1,
        "IpRanges": [
          "0.0.0.0/0"
        ]
      }
    ],
    "SecurityGroupId": "sg-12345678",
    "AccountId": "123456789012",
    "Description": "Example of security group",
    "InboundRules": [
      {
        "FromPortRange": 80,
        "IpProtocol": "tcp",
        "ToPortRange": 80,
        "IpRanges": [
          "10.0.0.0/16"
        ]
      }
    ],
    "NetId": "vpc-12345678"
  },
  "ResponseContext": {
    "RequestId": "0475ca1e-d0c5-441d-712a-da55a4175157"
  }
}

Result sample: Creating an inbound rule from another security group

{
  "SecurityGroup": {
    "Tags": [],
    "SecurityGroupName": "security-group-example",
    "OutboundRules": [
      {
        "FromPortRange": -1,
        "IpProtocol": "-1",
        "ToPortRange": -1,
        "IpRanges": [
          "0.0.0.0/0"
        ]
      }
    ],
    "SecurityGroupId": "sg-12345678",
    "AccountId": "123456789012",
    "Description": "Example of security group",
    "InboundRules": [
      {
        "FromPortRange": 22,
        "IpProtocol": "tcp",
        "ToPortRange": 22,
        "SecurityGroupsMembers": [
          {
            "SecurityGroupName": "another-security-group",
            "SecurityGroupId": "sg-87654321",
            "AccountId": "987654321098"
          }
        ]
      }
    ],
    "NetId": "vpc-12345678"
  },
  "ResponseContext": {
    "RequestId": "0475ca1e-d0c5-441d-712a-da55a4175157"
  }
}

Adding Rules to a Security Group Using AWS CLI

Adding Inbound Flows Rules to a Security Group

To add one or more rules for inbound flows, use the authorize-security-group-ingress command following this syntax:

Request sample

$ aws ec2 authorize-security-group-ingress \
    --profile YOUR_PROFILE \
    --group-name my-security-group \
    [--group-id NOT_SPECIFIED] \
    [--protocol NOT_SPECIFIED] \
    [--port NOT_SPECIFIED] \
    [--cidr NOT_SPECIFIED] \
    [--source-group NOT_SPECIFIED] \
    [--group-owner NOT_SPECIFIED] \
    --ip-permissions "[ \
                        { \
                        \"IpProtocol\": \"tcp\", \
                        \"FromPort\": 22, \
                        \"ToPort\": 22, \
                        \"IpRanges\": [ \
                                        { \
                                        \"CidrIp\": \"10.0.0.0/16\" \
                                        } \
                                      ], \
                        \"UserIdGroupPairs\": [ \
                                                { \
                                                \"UserId\": \"123456789000\", \
                                                \"GroupName\": \"dev-sg\", \
                                                \"GroupId\": \"sg-87654321\" \
                                                } \
                                              ] \
                        } \
                      ]" \
    --endpoint https://fcu.eu-west-2.outscale.com

This command contains the following attributes that you need to specify:

(optional) profile: The named profile you want to use, created when configuring AWS CLI. For more information, see Installing and Configuring AWS CLI.
(optional) group-name: The name of the security group, if you are in the public Cloud.

(optional) group-id: The ID of the security group.

Among the following attributes, you need to specify either:

the protocol, port, and cidr attributes
the protocol, port, source-group, and group-owner attributes
the ip-permissions attribute

(optional) protocol: The IP protocol name (tcp, udp, icmp, or -1 for all protocols). By default, -1. In a VPC, this can also be an IP protocol number. For more information, see the IANA.org website.
(optional) port: The port as a single integer or range of ports in the min-max format for TCP and UDP protocols, or an ICMP type number and code in the type-code format (-1 to indicate all ICMP types).
(optional) cidr: The range of IPs you want to allow, in CIDR notation (/32 prefix for a single IP).
(optional) source-group: The name or ID of the source security group from which you want to allow flows.
(optional) group-owner: The account ID of the owner of the source security group, if it belongs to another account.
(optional) ip-permissions: A set of permissions that can be used to add several rules in the same request. This attribute contains the following elements that you need to specify:
- (optional) IpProtocol: The IP protocol name (tcp, udp, icmp, or -1 for all protocols). By default, -1. In a VPC, this can also be an IP protocol number. For more information, see the IANA.org website.
- (optional) FromPort: The beginning of the port range for the TCP and UDP protocols, or an ICMP type number (-1 to indicate all ICMP types).
- (optional) ToPort: The end of port range for the TCP and UDP protocols, or an ICMP code number (-1 to indicate all ICMP codes).
- (optional) IpRanges: One or more IP ranges.
  - (optional) CidrIp: The range of IPs.
- (optional) UserIdGroupPairs: Information about one or more accounts and security groups to allow flows from security groups of other accounts. This attribute contains the following elements that you need to specify:
  - (optional) UserId: The account ID of the owner of the referenced security group.
  - (optional) GroupName: The name of the referenced security group.
  - (optional) GroupId: The ID of the referenced security group.
endpoint: The endpoint corresponding to the Region you want to send the request to.

The specified inbound rules are added to the security group.

(VPC only) Adding Outbound Flows Rules to a Security Group

To add one or more rules for outbound flows, use the authorize-security-group-egress command following this syntax:

Request sample

$ aws ec2 authorize-security-group-egress \
    --profile YOUR_PROFILE \
    --group-id my-security-group \
    [--protocol NOT_SPECIFIED] \
    [--port NOT_SPECIFIED] \
    [--cidr NOT_SPECIFIED] \
    [--source-group NOT_SPECIFIED] \
    [--group-owner NOT_SPECIFIED] \
    --ip-permissions "[ \
                        { \
                        \"IpProtocol\": \"tcp\", \
                        \"FromPort\": 22, \
                        \"ToPort\": 22, \
                        \"IpRanges\": [ \
                                        { \
                                        \"CidrIp\": \"10.0.0.0/16\" \
                                        } \
                                      ], \
                        \"UserIdGroupPairs\": [ \
                                                { \
                                                \"UserId\": \"123456789000\", \
                                                \"GroupName\": \"dev-sg\", \
                                                \"GroupId\": \"sg-87654321\" \
                                                } \
                                              ], \
                        \"PrefixListIds\": [ \
                                             { \
                                             \"PrefixListId\": \"pl-12345678\" \
                                             } \
                                           ] \
                        } \
                      ]" \
    --endpoint https://fcu.eu-west-2.outscale.com

This command contains the following attributes that you need to specify:

(optional) profile: The named profile you want to use, created when configuring AWS CLI. For more information, see Installing and Configuring AWS CLI.

group-id: The ID of the security group.

Among the following attributes, you need to specify either:

the protocol, port, and cidr attributes
the protocol, port, source-group, and group-owner attributes
the ip-permissions attribute

(optional) protocol: The IP protocol name (tcp, udp, icmp, or -1 for all protocols). By default, -1. In a VPC, this can also be an IP protocol number. For more information, see the IANA.org website.
(optional) port: The port as a single integer or range of ports in the min-max format for TCP and UDP protocols, or an ICMP type number and code in the type-code format (-1 to indicate all ICMP types).
(optional) cidr: The range of IPs you want to allow, in CIDR notation (/32 prefix for a single IP).
(optional) source-group: The name or ID of the source security group from which you want to allow flows.
(optional) group-owner: The account ID of the owner of source security group, if it belongs to another account.
(optional) ip-permissions: A set of permissions that can be used to add several rules in the same request. This attribute contains the following elements that you need to specify:
- (optional) IpProtocol: The IP protocol name (tcp, udp, icmp, or -1 for all protocols). By default, -1. In a VPC, this can also be an IP protocol number. For more information, see the IANA.org website.
- (optional) FromPort: The beginning of the port range for the TCP and UDP protocols, or an ICMP type number (-1 to indicate all ICMP types).
- (optional) ToPort: The end of port range for the TCP and UDP protocols, or an ICMP code number (-1 to indicate all ICMP codes).
- (optional) IpRanges: One or more IP ranges.
  - (optional) CidrIp: The range of IPs.
- (optional) UserIdGroupPairs: Information about one or more accounts and security groups to allow flows to security groups of other accounts. This attribute contains the following elements that you need to specify:
  - (optional) UserId: The account ID of the owner of the referenced security group.
  - (optional) GroupName: The name of the referenced security group.
  - (optional) GroupId: The ID of the referenced security group.
- (optional) PrefixListIds: One or more prefix list IDs. For more information, see Getting Information About Prefix Lists.
  - (optional) PrefixListId: The ID of a prefix list.
endpoint: The endpoint corresponding to the Region you want to send the request to.

The specified outbound rules are added to the security group.

Related Pages

Corresponding API Methods

AWS™ and Amazon Web Services™ are trademarks of Amazon Technologies, Inc or its affiliates in the United States and/or other countries.