Adding Rules to a Security Group
You can add rules for inbound flows to security groups. You can also add rules for outbound flows to security groups for use in a VPC.
Security group rules let you allow flows in a specified protocol and on specified ports, coming from either a single IP or a range of IPs (public, private or External IP), or another security group. When you add a rule to a security group, it is automatically applied to all the instances the security group is associated with.
Adding Rules to a Security Group Using Cockpit v1
-
Click Network/Security > Security Groups.
-
Click the security group to which you want to add rules.
The list of rules of the security group appears. -
Click Create Rule .
The CREATE SECURITY GROUP RULE dialog box appears. -
To define a rule, choose the following information:
-
First field: The direction of flows (Inbound or Outbound). Outbound is available only if the security group is for a VPC.
-
Second field: The service (for example, SSH or HTTP). For more information about available services, see About Security Group Rules.
-
Third field: The IP protocol (TCP, UDP, ICMP, Any, or Custom), if applicable.
-
Fourth field: A custom IP protocol, if applicable. For more information about IP protocol numbers, see the IANA.org website.
-
Fifth field: The port numbers or ICMP types, if applicable. This can be:
-
A value
-
A range of values, separated by a dash
-
Multiple values, separated by semicolons
-
-1
for all ICMP typesAvoid opening flows on all ports (
1-65535
), as it prevents you from effectively controlling them. Only open flows on the ports you need.
-
-
Sixth field: The target of the rule. This can be:
-
An IP in CIDR notation
-
A range of IPs in CIDR notation
-
Another security group, specified by ID or name
If the button My IP does not work, check if a browser extension is blocking scripts on the page.
-
-
-
When you are ready to add the rule, click .
Repeat Steps 4-5 to add multiple rules at once.
-
Click Create to validate.
The rule or rules are added to the security group.
Adding Rules to a Security Group Using Cockpit v2-beta
-
In the Security Groups dashboard, click the ID of the security group to which you want to add rules.
The security group details panel appears. -
Click
Create Inbound Rules, or, if applicable, click on the Outbound rules tab and then on
Create Outbound Rules.
The CREATE INBOUND RULES or CREATE OUTBOUND RULES dialog box appears. -
To define a rule, choose the following information:
-
Service: The service (for example, SSH or HTTP). For more information about available services, see About Security Group Rules.
-
Protocol: The IP protocol (tcp, udp, icmp, or Any), if applicable.
-
Port/ICMP: The port numbers or ICMP types, if applicable. This can be:
-
One or more values, separated by semicolons
-
A range of values, separated by a dash
-
For TCP and UDP: a single port number between 0 and 65535, or a range of port numbers.
-
For ICMP: a single type number between 0 and 255, or a type number and code number, or -1 to indicate all ICMP types.
Avoid opening flows on all ports (
1-65535
), as it prevents you from effectively controlling them. Only open flows on the ports you need.
-
-
IP range/Security group: The target of the rule. This can be:
-
An IP in CIDR notation
-
A range of IPs in CIDR notation
-
Another security group, specified by ID or name
-
-
-
To create multiple rules at once, click
Add Rule and repeat Step 3.
-
Click Create Inbound Rules to validate.
The rule or rules are added to the security group.
Adding Rules to a Security Group Using OSC CLI
See the CreateSecurityGroupRule command sample in the documentation of the OUTSCALE API. |
Adding Rules to a Security Group Using AWS CLI
Adding Inbound Flows Rules to a Security Group
To add one or more rules for inbound flows, use the authorize-security-group-ingress command following this syntax:
$ aws ec2 authorize-security-group-ingress \
--profile YOUR_PROFILE \
--group-name my-security-group \
[--group-id NOT_SPECIFIED] \
[--protocol NOT_SPECIFIED] \
[--port NOT_SPECIFIED] \
[--cidr NOT_SPECIFIED] \
[--source-group NOT_SPECIFIED] \
[--group-owner NOT_SPECIFIED] \
--ip-permissions "[ \
{ \
\"IpProtocol\": \"tcp\", \
\"FromPort\": 22, \
\"ToPort\": 22, \
\"IpRanges\": [ \
{ \
\"CidrIp\": \"10.0.0.0/16\" \
} \
], \
\"UserIdGroupPairs\": [ \
{ \
\"UserId\": \"123456789000\", \
\"GroupName\": \"dev-sg\", \
\"GroupId\": \"sg-87654321\" \
} \
] \
} \
]" \
--endpoint https://fcu.eu-west-2.outscale.com
This command contains the following attributes that you need to specify:
-
(optional)
profile
: The named profile you want to use, created when configuring AWS CLI. For more information, see Installing and Configuring AWS CLI. -
(optional)
group-name
: The name of the security group, if you are in the public Cloud. -
(optional)
group-id
: The ID of the security group.Among the following attributes, you need to specify either:
-
the
protocol
,port
, andcidr
attributes -
the
protocol
,port
,source-group
, andgroup-owner
attributes -
the
ip-permissions
attribute
-
-
(optional)
protocol
: The IP protocol name (tcp
,udp
,icmp
, or-1
for all protocols). By default,-1
. In a VPC, this can also be an IP protocol number. For more information, see the IANA.org website. -
(optional)
port
: The port as a single integer or range of ports in themin-max
format for TCP and UDP protocols, or an ICMP type number and code in thetype-code
format (-1
to indicate all ICMP types). -
(optional)
cidr
: The range of IPs you want to allow, in CIDR notation (/32
prefix for a single IP). -
(optional)
source-group
: The name or ID of the source security group from which you want to allow flows. -
(optional)
group-owner
: The account ID of the owner of the source security group, if it belongs to another account. -
(optional)
ip-permissions
: A set of permissions that can be used to add several rules in the same request. This attribute contains the following elements that you need to specify:-
(optional)
IpProtocol
: The IP protocol name (tcp
,udp
,icmp
, or-1
for all protocols). By default,-1
. In a VPC, this can also be an IP protocol number. For more information, see the IANA.org website. -
(optional)
FromPort
: The beginning of the port range for the TCP and UDP protocols, or an ICMP type number (-1
to indicate all ICMP types). -
(optional)
ToPort
: The end of port range for the TCP and UDP protocols, or an ICMP code number (-1
to indicate all ICMP codes). -
(optional)
IpRanges
: One or more IP ranges.-
(optional)
CidrIp
: The range of IPs.
-
-
(optional)
UserIdGroupPairs
: Information about one or more accounts and security groups to allow flows from security groups of other accounts. This attribute contains the following elements that you need to specify:-
(optional)
UserId
: The account ID of the owner of the referenced security group. -
(optional)
GroupName
: The name of the referenced security group. -
(optional)
GroupId
: The ID of the referenced security group.
-
-
-
endpoint
: The endpoint corresponding to the Region you want to send the request to.
The specified inbound rules are added to the security group.
(VPC only) Adding Outbound Flows Rules to a Security Group
To add one or more rules for outbound flows, use the authorize-security-group-egress command following this syntax:
$ aws ec2 authorize-security-group-egress \
--profile YOUR_PROFILE \
--group-id my-security-group \
[--protocol NOT_SPECIFIED] \
[--port NOT_SPECIFIED] \
[--cidr NOT_SPECIFIED] \
[--source-group NOT_SPECIFIED] \
[--group-owner NOT_SPECIFIED] \
--ip-permissions "[ \
{ \
\"IpProtocol\": \"tcp\", \
\"FromPort\": 22, \
\"ToPort\": 22, \
\"IpRanges\": [ \
{ \
\"CidrIp\": \"10.0.0.0/16\" \
} \
], \
\"UserIdGroupPairs\": [ \
{ \
\"UserId\": \"123456789000\", \
\"GroupName\": \"dev-sg\", \
\"GroupId\": \"sg-87654321\" \
} \
], \
\"PrefixListIds\": [ \
{ \
\"PrefixListId\": \"pl-12345678\" \
} \
] \
} \
]" \
--endpoint https://fcu.eu-west-2.outscale.com
This command contains the following attributes that you need to specify:
-
(optional)
profile
: The named profile you want to use, created when configuring AWS CLI. For more information, see Installing and Configuring AWS CLI. -
group-id
: The ID of the security group.Among the following attributes, you need to specify either:
-
the
protocol
,port
, andcidr
attributes -
the
protocol
,port
,source-group
, andgroup-owner
attributes -
the
ip-permissions
attribute
-
-
(optional)
protocol
: The IP protocol name (tcp
,udp
,icmp
, or-1
for all protocols). By default,-1
. In a VPC, this can also be an IP protocol number. For more information, see the IANA.org website. -
(optional)
port
: The port as a single integer or range of ports in themin-max
format for TCP and UDP protocols, or an ICMP type number and code in thetype-code
format (-1
to indicate all ICMP types). -
(optional)
cidr
: The range of IPs you want to allow, in CIDR notation (/32
prefix for a single IP). -
(optional)
source-group
: The name or ID of the source security group from which you want to allow flows. -
(optional)
group-owner
: The account ID of the owner of source security group, if it belongs to another account. -
(optional)
ip-permissions
: A set of permissions that can be used to add several rules in the same request. This attribute contains the following elements that you need to specify:-
(optional)
IpProtocol
: The IP protocol name (tcp
,udp
,icmp
, or-1
for all protocols). By default,-1
. In a VPC, this can also be an IP protocol number. For more information, see the IANA.org website. -
(optional)
FromPort
: The beginning of the port range for the TCP and UDP protocols, or an ICMP type number (-1
to indicate all ICMP types). -
(optional)
ToPort
: The end of port range for the TCP and UDP protocols, or an ICMP code number (-1
to indicate all ICMP codes). -
(optional)
IpRanges
: One or more IP ranges.-
(optional)
CidrIp
: The range of IPs.
-
-
(optional)
UserIdGroupPairs
: Information about one or more accounts and security groups to allow flows to security groups of other accounts. This attribute contains the following elements that you need to specify:-
(optional)
UserId
: The account ID of the owner of the referenced security group. -
(optional)
GroupName
: The name of the referenced security group. -
(optional)
GroupId
: The ID of the referenced security group.
-
-
(optional)
PrefixListIds
: One or more prefix list IDs. For more information, see Getting Information About Prefix Lists.-
(optional)
PrefixListId
: The ID of a prefix list.
-
-
-
endpoint
: The endpoint corresponding to the Region you want to send the request to.
The specified outbound rules are added to the security group.
Related Pages
Corresponding API Methods
AWS™ and Amazon Web Services™ are trademarks of Amazon Technologies, Inc or its affiliates in the United States and/or other countries.