Menu
AWS SDK for Java
Developer Guide

Create an Amazon EC2 Security Group

Create a security group, which acts as a virtual firewall that controls the network traffic for one or more EC2 instances. By default, Amazon EC2 associates your instances with a security group that allows no inbound traffic. You can create a security group that allows your EC2 instances to accept certain traffic. For example, if you need to connect to a Linux instance, you must configure the security group to allow SSH traffic. You can create a security group using the Amazon EC2 console or the AWS SDK for Java.

You create a security group for use in either EC2-Classic or EC2-VPC. For more information about EC2-Classic and EC2-VPC, see Supported Platforms in the Amazon EC2 User Guide for Linux Instances.

For more information about creating a security group using the Amazon EC2 console, see Amazon EC2 Security Groups in the Amazon EC2 User Guide for Linux Instances.

To create a security group

  1. Create and initialize a CreateSecurityGroupRequest instance. Use the withGroupName method to set the security group name, and the withDescription method to set the security group description, as follows:

    Copy
    CreateSecurityGroupRequest csgr = new CreateSecurityGroupRequest(); csgr.withGroupName("JavaSecurityGroup").withDescription("My security group");

    The security group name must be unique within the AWS region in which you initialize your Amazon EC2 client. You must use US-ASCII characters for the security group name and description.

  2. Pass the request object as a parameter to the createSecurityGroup method. The method returns a CreateSecurityGroupResult object, as follows:

    Copy
    CreateSecurityGroupResult createSecurityGroupResult = amazonEC2Client.createSecurityGroup(csgr);

    If you attempt to create a security group with the same name as an existing security group, createSecurityGroup throws an exception.

By default, a new security group does not allow any inbound traffic to your Amazon EC2 instance. To allow inbound traffic, you must explicitly authorize security group ingress. You can authorize ingress for individual IP addresses, for a range of IP addresses, for a specific protocol, and for TCP/UDP ports.

To authorize security group ingress

  1. Create and initialize an IpPermission instance. Use the withIpv4Ranges method to set the range of IP addresses to authorize ingress for, and use the withIpProtocol method to set the IP protocol. Use the withFromPort and withToPort methods to specify range of ports to authorize ingress for, as follows:

    Copy
    IpPermission ipPermission = new IpPermission(); IpRange ipRange1 = new IpRange().withCidrIp("111.111.111.111/32"); IpRange ipRange2 = new IpRange().withCidrIp("150.150.150.150/32"); ipPermission.withIpv4Ranges(Arrays.asList(new IpRange[] {ipRange1, ipRange2})) .withIpProtocol("tcp") .withFromPort(22) .withToPort(22);

    All the conditions that you specify in the IpPermission object must be met in order for ingress to be allowed.

    Specify the IP address using CIDR notation. If you specify the protocol as TCP/UDP, you must provide a source port and a destination port. You can authorize ports only if you specify TCP or UDP.

  2. Create and initialize an AuthorizeSecurityGroupIngressRequest instance. Use the withGroupName method to specify the security group name, and pass the IpPermission object you initialized earlier to the withIpPermissions method, as follows:

    Copy
    AuthorizeSecurityGroupIngressRequest authorizeSecurityGroupIngressRequest = new AuthorizeSecurityGroupIngressRequest(); authorizeSecurityGroupIngressRequest.withGroupName("JavaSecurityGroup") .withIpPermissions(ipPermission);
  3. Pass the request object into the authorizeSecurityGroupIngress method, as follows:

    Copy
    amazonEC2Client.authorizeSecurityGroupIngress(authorizeSecurityGroupIngressRequest);

    If you call authorizeSecurityGroupIngress with IP addresses for which ingress is already authorized, the method throws an exception. Create and initialize a new IpPermission object to authorize ingress for different IPs, ports, and protocols before calling AuthorizeSecurityGroupIngress.

Whenever you call the authorizeSecurityGroupIngress or authorizeSecurityGroupEgress methods, a rule is added to your security group.