AWS CloudFormation
User Guide (API Version 2010-05-15)
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.Did this page help you?  Yes | No |  Tell us about it...

AWS::EC2::SecurityGroupIngress

The AWS::EC2::SecurityGroupIngress type adds an ingress rule to an Amazon EC2 or VPC security group.

This type supports updates. For more information about updating stacks, see AWS CloudFormation Stacks Updates.

For more information about adding ingress rules to Amazon EC2 or VPC security groups, go to AuthorizeSecurityGroupIngress in the Amazon Elastic Compute Cloud API Reference.

Note

You should use AWS::EC2::SecurityGroupIngress and AWS::EC2::SecurityGroupEgress only when necessary, typically to allow security groups to reference each other in ingress and egress rules. Otherwise, you should use internal ingress and egress rules. For more information, see Amazon EC2 Security Groups.

Syntax

{
   "GroupName" : String
   "GroupId" : String
   "IpProtocol" : String
   "CidrIp" : String
   "SourceSecurityGroupName" : String
   "SourceSecurityGroupId" : String
   "SourceSecurityGroupOwnerId" : String
   "FromPort" : Number
   "ToPort" : Number
}
            

Properties

Important

After you create a AWS::EC2::SecurityGroupIngress resource, you cannot update its properties. Instead, you must define a new AWS::EC2::SecurityGroupIngress resource with the properties that you want, remove the old AWS::EC2::SecurityGroupIngress resource, and then update your AWS CloudFormation stack.

GroupName

Name of the EC2 security group to modify. This value can be a reference to an AWS::EC2::SecurityGroup resource or the name of an existing EC2 security group.

Type: String

Required: Can be used instead of GroupId for EC2 security groups.

GroupId

ID of the EC2 or VPC security group to modify. The group must belong to your account.

Type: String

Required: Yes, for VPC security groups; can be used instead of GroupName for EC2 security groups

IpProtocol

IP protocol name or number. For valid values, see the IpProtocol parameter in AuthorizeSecurityGroupIngress

Type: String

Required: Yes

CidrIp

Specifies a CIDR range.

For an overview of CIDR ranges, go to the Wikipedia Tutorial.

Condition: If you specify SourceSecurityGroupName, do not specify CidrIp.

Type: String

Required: Conditional—if you specify SourceSecurityGroupName, do not specify CidrIp.

SourceSecurityGroupName

Specifies the name of the Amazon EC2 Security Group to allow access or uses the Ref intrinsic function to refer to the logical name of a security group defined in the same template. For instances in a VPC, specify the SourceSecurityGroupId property.

Type: String

Required: Conditional—if you specify CidrIp, do not specify SourceSecurityGroupName.

SourceSecurityGroupId

Specifies the ID of the source Security Group or uses the Ref intrinsic function to refer to the logical ID of a security group defined in the same template.

Condition: If you specify CidrIp, do not specify SourceSecurityGroupId.

Type: String

Required: Conditional—if you specify CidrIp, do not specify SourceSecurityGroupId.

SourceSecurityGroupOwnerId

Specifies the AWS Account ID of the owner of the Amazon EC2 Security Group specified in the SourceSecurityGroupName property.

Type: String

Required: Conditional—if you specify SourceSecurityGroupName and that security group is owned by a different account than the account creating the stack, you must specify the SourceSecurityGroupOwnerId; otherwise, this property is optional.

FromPort

Start of port range for the TCP and UDP protocols, or an ICMP type number. If you specify icmp for the IpProtocol property, you can specify -1 as a wildcard (i.e., any ICMP type number).

Type: String

Required: Yes, for ICMP and any protocol that uses ports.

ToPort

End of port range for the TCP and UDP protocols, or an ICMP code. If you specify icmp for the IpProtocol property, you can specify -1 as a wildcard (i.e., any ICMP code).

Type: String

Required: Yes, for ICMP and any protocol that uses ports.

Examples

EC2 Security Group and Ingress Rule

To create an Amazon EC2 (non-VPC) security group and an ingress rule, use the SourceSecurityGroupName property in the ingress rule.

The following template snippet creates an EC2 security group with an ingress rule that allows incoming traffic on port 80 from any other host in the security group. The snippet uses the intrinsic function Ref to specify the value for SourceSecurityGroupName.

{
    "AWSTemplateFormatVersion": "2010-09-09",
    "Resources": {
        "SGBase": {
            "Type": "AWS::EC2::SecurityGroup",
            "Properties": {
                "GroupDescription": "Base Security Group",
                "SecurityGroupIngress": [
                    {
                        "IpProtocol": "tcp",
                        "CidrIp": "0.0.0.0/0",
                        "FromPort": "22",
                        "ToPort": "22"
                    }
                ]
            }
        },
        "SGBaseIngress": {
            "Type": "AWS::EC2::SecurityGroupIngress",
            "Properties": {
                "GroupName": { "Ref": "SGBase" },
                "IpProtocol": "tcp",
                "FromPort": "80",
                "ToPort": "80",
                "SourceSecurityGroupName": { "Ref": "SGBase" }
            }
        }
    }
}           

VPC Security Group and Ingress Rule

To create a Amazon VPC security group and an ingress rule:

  • Specify the VpcId property in the security group.

  • Use the SourceSecurityGroupId property in the ingress rule.

The following template snippet creates a VPC security group with an ingress rule that allows incoming traffic on port 80 from any other host in the security group. The snippet uses the intrinsic function Ref to specify the value for SourceSecurityGroupId.

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "SGBase": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "VpcId" : "vpc-12345678",
        "GroupDescription": "Base Security Group",
        "SecurityGroupIngress": [
          {
            "IpProtocol": "tcp",
            "CidrIp": "0.0.0.0/0",
            "FromPort": "22",
            "ToPort": "22"
          }
        ]
      }
    },
    "SGBaseIngress": {
      "Type": "AWS::EC2::SecurityGroupIngress",
      "Properties": {
        "GroupId": { "Ref": "SGBase" },
        "IpProtocol": "tcp",
        "FromPort": "80",
        "ToPort": "80",
        "SourceSecurityGroupId": { "Ref": "SGBase" }
      }
    }
  }
}           

Allow Ping Requests

To allow ping requests, add the ICMP protocol type and specify 8 (echo request) for the ICMP type and either 0 or -1 (all) for the ICMP code.

"SGPing" : {
  "Type" : "AWS::EC2::SecurityGroup",
  "DependsOn": "VPC",
  "Properties" : {
    "GroupDescription" : "SG to test ping",
    "VpcId" : {"Ref" : "VPC"},
    "SecurityGroupIngress" : [ 
      { "IpProtocol" : "tcp", "FromPort" : "22", "ToPort" : "22", "CidrIp" : "10.0.0.0/24" },
      { "IpProtocol" : "icmp", "FromPort" : "8", "ToPort" : "-1", "CidrIp" : "10.0.0.0/24" }
    ]
  }
}