| « PreviousNext » | |
  | Did this page help you? Yes | No | Tell us about it... |
Authorize Security Group Ingress
By default, EC2 instances have no constraints on their outbound traffic but accept no inbound traffic. To receive inbound traffic, an instance must be associated with a security group that explicitly authorizes ingress. You can configure the ingress authorization to limit inbound traffic to individual IP addresses, ranges of IP addresses, specific protocols, and specific TCP/UDP ports.
You authorize ingress for a new security group, as follows.
To authorize security group ingress for a new security group
Create and initialize an IpPermissionSpecification object.
var ipPermission = new IpPermissionSpecification() { IpProtocol = "tcp", FromPort = 3389, ToPort = 3389 }; ipPermission.IpRanges.Add("0.0.0.0/0");To initialize the object:
Specify the IP protocol by assigning it to the IpProtocol property.
For the TCP or UDP protocol, authorize ingress for specified ports by assigning appropriate values to the FromPort and ToPort properties, which represent the beginning and end of the port range, respectively. This example specifies a single port, 3389, which is the port that you use to communicate with a Windows EC2 instance by using the remote desktop protocol.
Authorize ingress for particular IP addresses or address ranges by adding them to the IpRanges collection. Use the CIDR notation to represent addresses or address ranges. For convenience, this example uses 0.0.0.0/0, which authorizes all addresses. For production use, you typically specify a more restricted range or even a single address.
Incoming packets must meet all of these specifications.
Create and initialize an AuthorizeSecurityGroupIngressRequest object.
var ingressRequest = new AuthorizeSecurityGroupIngressRequest(); ingressRequest.GroupName = secGroupName; ingressRequest.IpPermissions.Add(ipPermission);
To initialize the object:
Set the GroupName property to the security group name of.
Add the
IpPermissionSpecificationobject from Step 1 to the group's IpPermissions collection.
Authorize ingress.
AuthorizeSecurityGroupIngressResponse ingressResponse = ec2Client.AuthorizeSecurityGroupIngress(ingressRequest);
Pass the request object to EC2 client's AuthorizeSecurityGroupIngress method, which returns an AuthorizeSecurityGroupIngressResponse object.
To authorize ingress for additional IP address ranges, ports, or protocols, initialize a new
IpPermissionSpecificationinstance and add it to theIpPermissionscollection before callingAuthorizeSecurityGroupIngress.
You can also use this procedure to add IP address ranges, ports, and protocols to
existing security group. Each AuthorizeSecurityGroupIngress call adds a
rule to the security group up to a maximum of 100 rules. For
more information about security groups, see Security Group Concepts.
Important
If you attempt to authorize ingress for an IP address range that has already been
authorized, AuthorizeSecurityGroupIngress throws an exception. The
following example shows how to enumerate a security group's authorized IP address
ranges to check for existing ranges, where secGroup is the group's
SecurityGroup object. For a description of how to obtain this
object, see Specify an EC2 Security Group .
foreach (IpPermission ipPerm in secGroup.IpPermission)
{
foreach (String ipAddress in ipPerm.IpRange)
{
if (ipAddress == "Address Range")
//...
}
}
Next: Specify an EC2 Key Pair
