Amazon Elastic Compute Cloud
API Reference (API Version 2013-02-01)
AWS Documentation » Amazon EC2 » API Reference » Actions » AuthorizeSecurityGroupIngress
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Did this page help you?  Yes | No |  Tell us about it...

AuthorizeSecurityGroupIngress

Description

Adds one or more ingress rules to a security group.

Important

EC2-Classic: You can have up to 100 rules per group.

EC2-VPC: You can have up to 50 rules per group (covering both ingress and egress rules).

A security group is for use with instances either in the EC2-Classic platform or in a specific VPC. For more information, see Amazon EC2 Security Groups in the Amazon Elastic Compute Cloud User Guide and Security Groups for Your VPC in the Amazon Virtual Private Cloud User Guide.

[EC2-Classic] This action gives one or more CIDR IP address ranges permission to access a security group in your account, or gives one or more security groups (called the source groups) permission to access a security group for your account. A source group can be for your own AWS account, or another.

[EC2-VPC] This action gives one or more CIDR IP address ranges permission to access a security group in your VPC, or gives one or more other security groups (called the source groups) permission to access a security group for your VPC. The security groups must all be for the same VPC.

Each rule consists of the protocol (for example, TCP), plus either a CIDR range or a source group. For the TCP and UDP protocols, you must also specify the destination port or port range. For the ICMP protocol, you must also specify the ICMP type and code. You can use -1 for the type or code to mean all types or all codes.

Rule changes are propagated to instances within the security group as quickly as possible. However, a small delay might occur.

Request Parameters

UserId

Deprecated

Required: No

GroupId

The ID of the security group to modify. The security group must belong to your account.

Type: String

Default: None

Required: Conditional

Condition: Required for EC2-VPC; can be used instead of GroupName otherwise

GroupName

The name of the security group to modify.

Type: String

Default: None

Required: Conditional

Condition: For EC2-Classic, can be used instead of GroupId.

IpPermissions.n.IpProtocol

The IP protocol name or number (see Protocol Numbers). For EC2-Classic, security groups can have rules only for TCP, UDP, and ICMP. For EC2-VPC, security groups can have rules assigned to any protocol number.

When you call DescribeSecurityGroups, the protocol value returned is the number. Exception: For TCP, UDP, and ICMP, the value returned is the name (for example, tcp, udp, or icmp).

Type: String

Valid values for EC2-Classic: tcp | udp | icmp or the corresponding protocol number (6 | 17 | 1).

Valid values for EC2-VPC: tcp | udp | icmp or any protocol number (see Protocol Numbers). Use -1 to specify all.

Required: Yes

IpPermissions.n.FromPort

The start of port range for the TCP and UDP protocols, or an ICMP type number. For the ICMP type number, you can use -1 to specify all ICMP types.

Type: Integer

Default: None

Required: Conditional

Condition: Required for ICMP and any protocol that uses ports

IpPermissions.n.ToPort

The end of port range for the TCP and UDP protocols, or an ICMP code number. For the ICMP code number, you can use -1 to specify all ICMP codes for the given ICMP type.

Type: Integer

Default: None

Required: Conditional

Condition: Required for ICMP and any protocol that uses ports

IpPermissions.n.Groups.m.UserId

The AWS account ID that owns the source security group. Cannot be used when specifying a CIDR IP address.

Type: String

Default: None

Required: Conditional

Condition: For security groups in EC2-Classic only. Required if modifying access for one or more source security groups.

IpPermissions.n.Groups.m.GroupName

The name of the source security group. Cannot be used when specifying a CIDR IP address.

Type: String

Default: None

Required: Conditional

Condition: Required if modifying access for one or more source security groups.

IpPermissions.n.Groups.m.GroupId

The ID of the source security group. Cannot be used when specifying a CIDR IP address.

Type: String

Default: None

Required: Conditional

Condition: For EC2-VPC only. Required if modifying access for one or more source security groups.

IpPermissions.n.IpRanges.m.CidrIp

The CIDR range. Cannot be used when specifying a source security group.

Type: String

Default: None

Constraints: Valid CIDR IP address range.

Required: Conditional

Condition: Required if modifying access for one or more IP address ranges.

Response Elements

The following elements are returned in an AuthorizeSecurityGroupIngressResponse element.

requestId

The ID of the request.

Type: xsd:string

return

Returns true if the request succeeds. Otherwise, returns an error.

Type: xsd:boolean

Examples

Example Request

This example is for an EC2 security group. The request grants the 192.0.2.0/24 and 198.51.100.0/24 address ranges access to your websrv security group on TCP port 80.

https://ec2.amazonaws.com/?Action=AuthorizeSecurityGroupIngress
&GroupName=websrv
&IpPermissions.1.IpProtocol=tcp
&IpPermissions.1.FromPort=80
&IpPermissions.1.ToPort=80
&IpPermissions.1.IpRanges.1.CidrIp=192.0.2.0/24
&IpPermissions.1.IpRanges.2.CidrIp=198.51.100.0/24
&AUTHPARAMS

Example Request

This example is for an EC2 security group. The request grants TCP port 80 access from the source group called OtherAccountGroup (in AWS account 111122223333) to your websrv security group.

https://ec2.amazonaws.com/?Action=AuthorizeSecurityGroupIngress
&GroupName=websrv
&IpPermissions.1.IpProtocol=tcp
&IpPermissions.1.FromPort=80
&IpPermissions.1.ToPort=80
&IpPermissions.1.Groups.1.GroupName=OtherAccountGroup
&IpPermissions.1.Groups.1.UserId=111122223333
&AUTHPARAMS

Example Request

This example is for a security group for EC2-VPC. The request grants TCP port 80 access from the source group called OtherGroupInMyVPC (sg-2a2b3c4d) to your VpcWebServers security group (sg-1a2b3c4d). The request requires the group IDs and not the group names. Your AWS account ID is 111122223333.

https://ec2.amazonaws.com/?Action=AuthorizeSecurityGroupIngress
&GroupId=sg-1a2b3c4d
&IpPermissions.1.IpProtocol=tcp
&IpPermissions.1.FromPort=80
&IpPermissions.1.ToPort=80
&IpPermissions.1.Groups.1.GroupId=sg-2a2b3c4d
&IpPermissions.1.Groups.1.UserId=111122223333
&AUTHPARAMS

Example Request

This example is for an EC2 security group. The request grants your local system the ability to use SSH (port 22) to connect to any instance in the default security group

https://ec2.amazonaws.com/
?Action=AuthorizeSecurityGroupIngress
&GroupName=default
&IpPermissions.1.IpProtocol=tcp
&IpPermissions.1.FromPort=22
&IpPermissions.1.ToPort=22
&IpPermissions.1.IpRanges.1.CidrIp=your-local-system's-public-ip-address/32
&AUTHPARAMS

Example Request

This example is for an EC2 security group. The request gives your local system the ability to use Remote Desktop (port 3389) to connect to any instance in the default security group.

https://ec2.amazonaws.com/
?Action=AuthorizeSecurityGroupIngress
&GroupName=default
&IpPermissions.1.IpProtocol=tcp
&IpPermissions.1.FromPort=3389
&IpPermissions.1.ToPort=3389
&IpPermissions.1.IpRanges.1.CidrIp=your-local-system's-public-ip-address/32
&AUTHPARAMS

Example Response

<AuthorizeSecurityGroupIngressResponse xmlns="http://ec2.amazonaws.com/doc/2013-02-01/">
  <requestId>59dbff89-35bd-4eac-99ed-be587EXAMPLE</requestId>
  <return>true</return>
</AuthorizeSecurityGroupIngressResponse>
Document Conventions« PreviousNext »
Terms of UseDid this page help you?  Yes | No |  Tell us about it...