Menu
Amazon Elastic Compute Cloud
API Reference (API Version 2016-11-15)

AuthorizeSecurityGroupIngress

Adds one or more ingress rules to a security group.

Rule changes are propagated to instances within the security group as quickly as possible. However, a small delay might occur.

[EC2-Classic] This action gives one or more IPv4 CIDR address ranges permission to access a security group in your account, or gives one or more security groups (called the source groups) permission to access a security group for your account. A source group can be for your own AWS account, or another. You can have up to 100 rules per group.

[EC2-VPC] This action gives one or more IPv4 or IPv6 CIDR address ranges permission to access a security group in your VPC, or gives one or more other security groups (called the source groups) permission to access a security group for your VPC. The security groups must all be for the same VPC or a peer VPC in a VPC peering connection. For more information about VPC security group limits, see Amazon VPC Limits.

Request Parameters

The following parameters are for this specific action. For more information about required and optional parameters that are common to all actions, see Common Query Parameters.

CidrIp

The CIDR IPv4 address range. You can't specify this parameter when specifying a source security group.

Type: String

Required: No

DryRun

Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.

Type: Boolean

Required: No

FromPort

The start of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 type number. For the ICMP/ICMPv6 type number, use -1 to specify all types.

Type: Integer

Required: No

GroupId

The ID of the security group. Required for a nondefault VPC.

Type: String

Required: No

GroupName

[EC2-Classic, default VPC] The name of the security group.

Type: String

Required: No

IpPermissions.N

A set of IP permissions. Can be used to specify multiple rules in a single command.

Type: Array of IpPermission objects

Required: No

IpProtocol

The IP protocol name (tcp, udp, icmp) or number (see Protocol Numbers). (VPC only) Use -1 to specify all protocols. If you specify -1, or a protocol number other than tcp, udp, icmp, or 58 (ICMPv6), traffic on all ports is allowed, regardless of any ports you specify. For tcp, udp, and icmp, you must specify a port range. For protocol 58 (ICMPv6), you can optionally specify a port range; if you don't, traffic for all types and codes is allowed.

Type: String

Required: No

SourceSecurityGroupName

[EC2-Classic, default VPC] The name of the source security group. You can't specify this parameter in combination with the following parameters: the CIDR IP address range, the start of the port range, the IP protocol, and the end of the port range. Creates rules that grant full ICMP, UDP, and TCP access. To create a rule with a specific IP protocol and port range, use a set of IP permissions instead. For EC2-VPC, the source security group must be in the same VPC.

Type: String

Required: No

SourceSecurityGroupOwnerId

[EC2-Classic] The AWS account number for the source security group, if the source security group is in a different account. You can't specify this parameter in combination with the following parameters: the CIDR IP address range, the IP protocol, the start of the port range, and the end of the port range. Creates rules that grant full ICMP, UDP, and TCP access. To create a rule with a specific IP protocol and port range, use a set of IP permissions instead.

Type: String

Required: No

ToPort

The end of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 code number. For the ICMP/ICMPv6 code number, use -1 to specify all codes.

Type: Integer

Required: No

Response Elements

The following elements are returned by the service.

requestId

The ID of the request.

Type: String

return

Is true if the request succeeds, and an error otherwise.

Type: Boolean

Errors

For information about the errors that are common to all actions, see Common Errors.

Examples

Example 1

[EC2-Classic] This example request grants TCP port 80 access from the 192.0.2.0/24 and 198.51.100.0/24 IPv4 address ranges to the security group in EC2-Classic named websrv.

Sample Request

Copy
https://ec2.amazonaws.com/?Action=AuthorizeSecurityGroupIngress &GroupName=websrv &IpPermissions.1.IpProtocol=tcp &IpPermissions.1.FromPort=80 &IpPermissions.1.ToPort=80 &IpPermissions.1.IpRanges.1.CidrIp=192.0.2.0/24 &IpPermissions.1.IpRanges.2.CidrIp=198.51.100.0/24 &AUTHPARAMS

Example 2

[EC2-Classic, default VPC] This example request grants full ICMP, UDP, and TCP access from a source group called webserver1 (in AWS account 123456789012) to a security group in your account with the ID sg-1a2b3c4d. For EC2-VPC, the group owner ID parameter is not required, and the source security group must be in the same VPC. For an example of granting access to specific protocols and ports, see example 3.

Sample Request

Copy
https://ec2.amazonaws.com/?Action=AuthorizeSecurityGroupIngress &GroupId=sg-1a2b3c4d &SourceSecurityGroupOwnerId=123456789012 &SourceSecurityGroupName=webserver1 &AUTHPARAMS

Example 3

[EC2-Classic, default VPC] This example request grants TCP port 80 access from the source group named OtherAccountGroup (in AWS account 123456789012) to the security group named websrv. For EC2-VPC, the user ID parameter is not required, and the source security group must be in the same VPC.

Sample Request

Copy
https://ec2.amazonaws.com/?Action=AuthorizeSecurityGroupIngress &GroupName=websrv &IpPermissions.1.IpProtocol=tcp &IpPermissions.1.FromPort=80 &IpPermissions.1.ToPort=80 &IpPermissions.1.Groups.1.GroupName=OtherAccountGroup &IpPermissions.1.Groups.1.UserId=123456789012 &AUTHPARAMS

Example 4

[EC2-VPC] This example request grants TCP port 80 access from the source group sg-2a2b3c4d to the security group sg-1a2b3c4d. In EC2-VPC, you must use the security group IDs in a request, not the security group names. The source security group must be in the same VPC or in a peer VPC (requires a VPC peering connection).

Sample Request

Copy
https://ec2.amazonaws.com/?Action=AuthorizeSecurityGroupIngress &GroupId=sg-1a2b3c4d &IpPermissions.1.IpProtocol=tcp &IpPermissions.1.FromPort=80 &IpPermissions.1.ToPort=80 &IpPermissions.1.Groups.1.GroupId=sg-2a2b3c4d &AUTHPARAMS

Example 5

[EC2-Classic, default VPC] This example request grants your local system the ability to use SSH (port 22) to connect to any instance in the security group named default. For a nondefault VPC, use the GroupId parameter instead.

Sample Request

Copy
https://ec2.amazonaws.com/ ?Action=AuthorizeSecurityGroupIngress &GroupName=default &IpPermissions.1.IpProtocol=tcp &IpPermissions.1.FromPort=22 &IpPermissions.1.ToPort=22 &IpPermissions.1.IpRanges.1.CidrIp=your-local-system's-public-ip-address/32 &AUTHPARAMS

Example 6

[EC2-Classic, default VPC] This example request grants your local system the ability to use Remote Desktop (port 3389) to connect to any instance in the security group named default. For a nondefault VPC, use the GroupId parameter instead.

Sample Request

Copy
https://ec2.amazonaws.com/ ?Action=AuthorizeSecurityGroupIngress &GroupName=default &IpPermissions.1.IpProtocol=tcp &IpPermissions.1.FromPort=3389 &IpPermissions.1.ToPort=3389 &IpPermissions.1.IpRanges.1.CidrIp=your-local-system's-public-ip-address/32

Example 7

[EC2-VPC] This example grants SSH access (port 22) from the IPv6 range 2001:db8:1234:1a00::/64.

Sample Request

Copy
https://ec2.amazonaws.com/ ?Action=AuthorizeSecurityGroupIngress &GroupId=sg-1a2b3c4d &IpPermissions.1.IpProtocol=tcp &IpPermissions.1.FromPort=22 &IpPermissions.1.ToPort=22 &IpPermissions.1.Ipv6Ranges.1.CidrIpv6=2001:db8:1234:1a00::/64 &AUTHPARAMS

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: