Adding Rules to a Security Group

You can add rules for inbound flows to security groups. You can also add rules for outbound flows to security groups for use in a VPC.

Security group rules let you allow flows in a specified protocol and on specified ports, coming from either a single IP address or a range of IP addresses (public, private or External IP), or another security group. When you add a rule to a security group, it is automatically applied to all the instances the security group is associated with.

Adding Rules to a Security Group Using Cockpit

  1. Click Network/Security > Security Groups.

  2. Click the security group for which you want to add rules.
    The list of rules of the security group appears.

  3. Click Create Rule .
    The CREATE SECURITY GROUP RULE dialog box appears.

  4. To define a rule, choose the following information:

    • First field: The direction of flows (Inbound or Outbound). Outbound is available only if the security group is for a VPC.

    • Second field: The service (for example, SSH or HTTP). For more information about available services, see About Security Group Rules.

    • Third field: The IP protocol (TCP, UDP, ICMP, Any, or Custom), if applicable.

    • Fourth field: A custom IP protocol, if applicable. For more information about IP protocol numbers, see the IANA.org website.

    • Fifth field: The port numbers or ICMP types, if applicable. This can be:

      • A value

      • A range of values, separated by a dash

      • Multiple values, separated by semicolons

      • -1 for all ICMP types

        Avoid opening flows on all ports (1-65535), as it prevents you from effectively controlling them. Only open flows on the ports you need.

    • Sixth field: The target of the rule. This can be:

      • An IP address

      • A range of IP addresses in CIDR notation

      • Another security group, specified by ID or name

        If the button My IP does not work, check if a browser extension is blocking scripts on the page.

  5. When you are ready to add the rule, click .

    Repeat Steps 4-5 to add multiple rules at once.

  6. Click Create to validate.
    The rule or rules are added to the security group.

Adding Rules to a Security Group Using AWS CLI

Adding Inbound Flows Rules to a Security Group

To add one or more rules for inbound flows, use the authorize-security-group-ingress command following this syntax:

Request sample
$ aws ec2 authorize-security-group-ingress \
    --profile YOUR_PROFILE \
    --group-name my-security-group \
    [--group-id NOT_SPECIFIED] \
    [--protocol NOT_SPECIFIED] \
    [--port NOT_SPECIFIED] \
    [--cidr NOT_SPECIFIED] \
    [--source-group NOT_SPECIFIED] \
    [--group-owner NOT_SPECIFIED] \
    --ip-permissions "[ \
                        { \
                        \"IpProtocol\": \"tcp\", \
                        \"FromPort\": 22, \
                        \"ToPort\": 22, \
                        \"IpRanges\": [ \
                                        { \
                                        \"CidrIp\": \"10.0.0.0/16\" \
                                        } \
                                      ], \
                        \"UserIdGroupPairs\": [ \
                                                { \
                                                \"UserId\": \"123456789000\", \
                                                \"GroupName\": \"dev-sg\", \
                                                \"GroupId\": \"sg-87654321\" \
                                                } \
                                              ] \
                        } \
                      ]" \
    --endpoint https://fcu.eu-west-2.outscale.com

This command contains the following attributes that you need to specify:

  • (optional) profile: The named profile you want to use, created when configuring AWS CLI. For more information, see Installing and Configuring AWS CLI.

  • (optional) group-name: The name of the security group, if you are in the public Cloud.

  • (optional) group-id: The ID of the security group.

    Among the following attributes, you need to specify either:

    • the protocol, port, and cidr attributes

    • the protocol, port, source-group, and group-owner attributes

    • the ip-permissions attribute

  • (optional) protocol: The IP protocol name (tcp, udp, icmp, or -1 for all protocols). By default, -1. In a VPC, this can also be an IP protocol number. For more information, see the IANA.org website.

  • (optional) port: The port as a single integer or range of ports in the min-max format for TCP and UDP protocols, or an ICMP type number and code in the type-code format (-1 to indicate all ICMP types).

  • (optional) cidr: The range of IP addresses you want to allow, in CIDR notation (/32 prefix for a single IP address).

  • (optional) source-group: The name or ID of the source security group from which you want to allow flows.

  • (optional) group-owner: The account ID of the owner of the source security group, if it belongs to another account.

  • (optional) ip-permissions: A set of permissions that can be used to add several rules in the same request. This attribute contains the following elements that you need to specify:

    • (optional) IpProtocol: The IP protocol name (tcp, udp, icmp, or -1 for all protocols). By default, -1. In a VPC, this can also be an IP protocol number. For more information, see the IANA.org website.

    • (optional) FromPort: The beginning of the port range for the TCP and UDP protocols, or an ICMP type number (-1 to indicate all ICMP types).

    • (optional) ToPort: The end of port range for the TCP and UDP protocols, or an ICMP code number (-1 to indicate all ICMP codes).

    • (optional) IpRanges: One or more IP ranges.

      • (optional) CidrIp: The range of IP addresses.

    • (optional) UserIdGroupPairs: Information about one or more accounts and security groups to allow flows from security groups of other accounts. This attribute contains the following elements that you need to specify:

      • (optional) UserId: The account ID of the owner of the referenced security group.

      • (optional) GroupName: The name of the referenced security group.

      • (optional) GroupId: The ID of the referenced security group.

  • endpoint: The endpoint corresponding to the Region you want to send the request to.

The specified inbound rules are added to the security group.

(VPC only) Adding Outbound Flows Rules to a Security Group

To add one or more rules for outbound flows, use the authorize-security-group-egress command following this syntax:

Request sample
$ aws ec2 authorize-security-group-egress \
    --profile YOUR_PROFILE \
    --group-id my-security-group \
    [--protocol NOT_SPECIFIED] \
    [--port NOT_SPECIFIED] \
    [--cidr NOT_SPECIFIED] \
    [--source-group NOT_SPECIFIED] \
    [--group-owner NOT_SPECIFIED] \
    --ip-permissions "[ \
                        { \
                        \"IpProtocol\": \"tcp\", \
                        \"FromPort\": 22, \
                        \"ToPort\": 22, \
                        \"IpRanges\": [ \
                                        { \
                                        \"CidrIp\": \"10.0.0.0/16\" \
                                        } \
                                      ], \
                        \"UserIdGroupPairs\": [ \
                                                { \
                                                \"UserId\": \"123456789000\", \
                                                \"GroupName\": \"dev-sg\", \
                                                \"GroupId\": \"sg-87654321\" \
                                                } \
                                              ], \
                        \"PrefixListIds\": [ \
                                             { \
                                             \"PrefixListId\": \"pl-12345678\" \
                                             } \
                                           ] \
                        } \
                      ]" \
    --endpoint https://fcu.eu-west-2.outscale.com

This command contains the following attributes that you need to specify:

  • (optional) profile: The named profile you want to use, created when configuring AWS CLI. For more information, see Installing and Configuring AWS CLI.

  • group-id: The ID of the security group.

    Among the following attributes, you need to specify either:

    • the protocol, port, and cidr attributes

    • the protocol, port, source-group, and group-owner attributes

    • the ip-permissions attribute

  • (optional) protocol: The IP protocol name (tcp, udp, icmp, or -1 for all protocols). By default, -1. In a VPC, this can also be an IP protocol number. For more information, see the IANA.org website.

  • (optional) port: The port as a single integer or range of ports in the min-max format for TCP and UDP protocols, or an ICMP type number and code in the type-code format (-1 to indicate all ICMP types).

  • (optional) cidr: The range of IP addresses you want to allow, in CIDR notation (/32 prefix for a single IP address).

  • (optional) source-group: The name or ID of the source security group from which you want to allow flows.

  • (optional) group-owner: The account ID of the owner of source security group, if it belongs to another account.

  • (optional) ip-permissions: A set of permissions that can be used to add several rules in the same request. This attribute contains the following elements that you need to specify:

    • (optional) IpProtocol: The IP protocol name (tcp, udp, icmp, or -1 for all protocols). By default, -1. In a VPC, this can also be an IP protocol number. For more information, see the IANA.org website.

    • (optional) FromPort: The beginning of the port range for the TCP and UDP protocols, or an ICMP type number (-1 to indicate all ICMP types).

    • (optional) ToPort: The end of port range for the TCP and UDP protocols, or an ICMP code number (-1 to indicate all ICMP types).

    • (optional) IpRanges: One or more IP ranges.

      • (optional) CidrIp: The range of IP addresses.

    • (optional) UserIdGroupPairs: Information about one or more accounts and security groups to allow flows to security groups of other accounts. This attribute contains the following elements that you need to specify:

      • (optional) UserId: The account ID of the owner of the referenced security group.

      • (optional) GroupName: The name of the referenced security group.

      • (optional) GroupId: The ID of the referenced security group.

    • (optional) PrefixListIds: One or more prefix list IDs. For more information, see Getting Information About Prefix Lists.

      • (optional) PrefixListId: The ID of a prefix list.

  • endpoint: The endpoint corresponding to the Region you want to send the request to.

The specified outbound rules are added to the security group.

Related Pages

Corresponding API Methods

AWS™ and Amazon Web Services™ are trademarks of Amazon Technologies, Inc or its affiliates in the United States and/or other countries.