| « PreviousNext » | |
   | Did this page help you? Yes | No | Tell us about it... |
AWS::EC2::SecurityGroupIngress
The AWS::EC2::SecurityGroupIngress type adds an ingress rule to an Amazon EC2 or VPC security group.
This type supports updates. For more information about updating stacks, see Updating AWS CloudFormation Stacks.
For more information about adding ingress rules to Amazon EC2 or VPC security groups, go to AuthorizeSecurityGroupIngress in the Amazon Elastic Compute Cloud API Reference.
Syntax
{
"GroupName" : String
"GroupId" : String
"IpProtocol" : String
"CidrIp" : String
"SourceSecurityGroupName" : String
"SourceSecurityGroupId" : String
"SourceSecurityGroupOwnerId" : String
"FromPort" : Number
"ToPort" : Number
}
Properties
- GroupName
Name of the EC2 security group to modify. This value can be a reference to an AWS::EC2::SecurityGroup resource or the name of an existing EC2 security group.
Type: String
Required: Can be used instead of GroupId for EC2 security groups.
Update requires: no interruption
- GroupId
ID of the EC2 or VPC security group to modify. The group must belong to your account.
Type: String
Required: Yes, for VPC security groups; can be used instead of GroupName for EC2 security groups
Update requires: no interruption
- IpProtocol
IP protocol name or number. For valid values, see the IpProtocol parameter in AuthorizeSecurityGroupIngress
Type: String
Required: Yes
Update requires: no interruption
- CidrIp
Specifies a CIDR range.
For an overview of CIDR ranges, go to the Wikipedia Tutorial.
Condition: If you specify SourceSecurityGroupName, do not specify CidrIp.
Type: String
Required: Conditional—if you specify SourceSecurityGroupName, do not specify CidrIp.
Update requires: no interruption
- SourceSecurityGroupName
Specifies the name of the Amazon EC2 Security Group to allow access or uses the Ref intrinsic function to refer to the logical name of a security group defined in the same template.
Type: String
Required: Conditional—if you specify CidrIp, do not specify SourceSecurityGroupName.
Update requires: no interruption
- SourceSecurityGroupId
Specifies the ID of the source Security Group or uses the Ref intrinsic function to refer to the logical ID of a security group defined in the same template.
Condition: If you specify CidrIp, do not specify SourceSecurityGroupId.
Type: String
Required: Conditional—if you specify CidrIp, do not specify SourceSecurityGroupId.
Update requires: no interruption
- SourceSecurityGroupOwnerId
Specifies the AWS Account ID of the owner of the Amazon EC2 Security Group specified in the SourceSecurityGroupName property.
Type: String
Required: Conditional—if you specify SourceSecurityGroupName and that security group is owned by a different account than the account creating the stack, you must specify the SourceSecurityGroupOwnerId; otherwise, this property is optional.
Update requires: no interruption
- FromPort
Start of port range for the TCP and UDP protocols, or an ICMP type number. An ICMP type number of -1 indicates a wildcard (i.e., any ICMP type number).
Type: String
Required: Yes, for ICMP and any protocol that uses ports.
Update requires: no interruption
- ToPort
End of port range for the TCP and UDP protocols, or an ICMP code. An ICMP code of -1 indicates a wildcard (i.e., any ICMP code).
Type: String
Required: Yes, for ICMP and any protocol that uses ports.
Update requires: no interruption
Examples
EC2 Security Group and Ingress Rule
To create an Amazon EC2 (non-VPC) security group and an ingress rule, use the SourceSecurityGroupName property in the ingress rule.
The following template snippet creates an EC2 security group with an ingress rule that allows incoming traffic on port 80 from any other host in the security group. The snippet uses the intrinsic function Ref to specify the value for SourceSecurityGroupName.
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"SGBase": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"GroupDescription": "Base Security Group",
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"CidrIp": "0.0.0.0/0",
"FromPort": "22",
"ToPort": "22"
}
]
}
},
"SGBaseIngress": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupName": { "Ref": "SGBase" },
"IpProtocol": "tcp",
"FromPort": "80",
"ToPort": "80",
"SourceSecurityGroupName": { "Ref": "SGBase" }
}
}
}
} VPC Security Group and Ingress Rule
To create a Amazon VPC security group and an ingress rule:
Specify the VpcId property in the security group.
Use the SourceSecurityGroupId property in the ingress rule.
The following template snippet creates a VPC security group with an ingress rule that allows incoming traffic on port 80 from any other host in the security group. The snippet uses the intrinsic function Ref to specify the value for SourceSecurityGroupId.
{
"AWSTemplateFormatVersion": "2010-09-09",
"Resources": {
"SGBase": {
"Type": "AWS::EC2::SecurityGroup",
"Properties": {
"VpcId" : "vpc-12345678",
"GroupDescription": "Base Security Group",
"SecurityGroupIngress": [
{
"IpProtocol": "tcp",
"CidrIp": "0.0.0.0/0",
"FromPort": "22",
"ToPort": "22"
}
]
}
},
"SGBaseIngress": {
"Type": "AWS::EC2::SecurityGroupIngress",
"Properties": {
"GroupId": { "Ref": "SGBase" },
"IpProtocol": "tcp",
"FromPort": "80",
"ToPort": "80",
"SourceSecurityGroupId": { "Ref": "SGBase" }
}
}
}
} 
