Show / Hide Table of Contents

Class SecurityGroup

Creates an Amazon EC2 security group within a VPC.

Inheritance
System.Object
Construct
Resource
SecurityGroup
Implements
ISecurityGroup
IResource
IConstruct
Constructs.IConstruct
IDependable
IPeer
IConnectable
Inherited Members
Resource.IsResource(IConstruct)
Resource.ApplyRemovalPolicy(RemovalPolicy)
Resource.GeneratePhysicalName()
Resource.GetResourceArnAttribute(String, IArnComponents)
Resource.GetResourceNameAttribute(String)
Resource.Env
Resource.PhysicalName
Resource.Stack
Construct.IsConstruct(Object)
Construct.OnPrepare()
Construct.OnSynthesize(ISynthesisSession)
Construct.OnValidate()
Construct.Prepare()
Construct.Synthesize(ISynthesisSession)
Construct.Validate()
Construct.Node
Namespace: Amazon.CDK.AWS.EC2
Assembly: Amazon.CDK.AWS.EC2.dll
Syntax (csharp)
public class SecurityGroup : Resource, ISecurityGroup, IResource, IConstruct, IConstruct, IDependable, IPeer, IConnectable
Syntax (vb)
Public Class SecurityGroup
    Inherits Resource
    Implements ISecurityGroup, IResource, IConstruct, IConstruct, IDependable, IPeer, IConnectable
Remarks

Security Groups act like a firewall with a set of rules, and are associated with any AWS resource that has or creates Elastic Network Interfaces (ENIs). A typical example of a resource that has a security group is an Instance (or Auto Scaling Group of instances)

If you are defining new infrastructure in CDK, there is a good chance you won't have to interact with this class at all. Like IAM Roles, Security Groups need to exist to control access between AWS resources, but CDK will automatically generate and populate them with least-privilege permissions for you so you can concentrate on your business logic.

All Constructs that require Security Groups will create one for you if you don't specify one at construction. After construction, you can selectively allow connections to and between constructs via--for example-- the instance.connections object. Think of it as "allowing connections to your instance", rather than "adding ingress rules a security group". See the Allowing Connections section in the library documentation for examples.

Direct manipulation of the Security Group through addIngressRule and addEgressRule is possible, but mutation through the .connections object is recommended. If you peer two constructs with security groups this way, appropriate rules will be created in both.

If you have an existing security group you want to use in your CDK application, you would import it like this:

// Example automatically generated without compilation. See https://github.com/aws/jsii/issues/826
var securityGroup = SecurityGroup.FromSecurityGroupId(this, "SG", "sg-12345", new Struct {
    Mutable = false
});

Synopsis

Constructors

SecurityGroup(ByRefValue)

Used by jsii to construct an instance of this class from a Javascript-owned object reference

SecurityGroup(DeputyBase.DeputyProps)

Used by jsii to construct an instance of this class from DeputyProps

SecurityGroup(Construct, String, ISecurityGroupProps)

Properties

AllowAllOutbound

Whether the SecurityGroup has been configured to allow all outbound traffic.

CanInlineRule

Whether the rule can be inlined into a SecurityGroup or not.

Connections
DefaultPort
SecurityGroupId

The ID of the security group.

SecurityGroupName

An attribute that represents the security group name.

SecurityGroupVpcId

The VPC ID this security group is part of.

UniqueId

A unique identifier for this connection peer.

Methods

AddEgressRule(IPeer, Port, String, Nullable<Boolean>)

Add an egress rule for the current security group.

AddIngressRule(IPeer, Port, String, Nullable<Boolean>)

Add an ingress rule for the current security group.

FromLookup(Construct, String, String)

Look up a security group by id.

FromSecurityGroupId(Construct, String, String, ISecurityGroupImportOptions)

Import an existing security group into this app.

IsSecurityGroup(Object)

Return whether the indicated object is a security group.

ToEgressRuleConfig()

Produce the egress rule JSON for the given connection.

ToIngressRuleConfig()

Produce the ingress rule JSON for the given connection.

Constructors

SecurityGroup(ByRefValue)

Used by jsii to construct an instance of this class from a Javascript-owned object reference

protected SecurityGroup(ByRefValue reference)
Parameters
reference Amazon.JSII.Runtime.Deputy.ByRefValue

The Javascript-owned object reference

SecurityGroup(DeputyBase.DeputyProps)

Used by jsii to construct an instance of this class from DeputyProps

protected SecurityGroup(DeputyBase.DeputyProps props)
Parameters
props Amazon.JSII.Runtime.Deputy.DeputyBase.DeputyProps

The deputy props

SecurityGroup(Construct, String, ISecurityGroupProps)

public SecurityGroup(Construct scope, string id, ISecurityGroupProps props)
Parameters
scope Constructs.Construct
id System.String
props ISecurityGroupProps

Properties

AllowAllOutbound

Whether the SecurityGroup has been configured to allow all outbound traffic.

public virtual bool AllowAllOutbound { get; }
Property Value

System.Boolean

CanInlineRule

Whether the rule can be inlined into a SecurityGroup or not.

public virtual bool CanInlineRule { get; }
Property Value

System.Boolean

Connections

public virtual Connections_ Connections { get; }
Property Value

Connections_

DefaultPort

public virtual Port DefaultPort { get; }
Property Value

Port

SecurityGroupId

The ID of the security group.

public virtual string SecurityGroupId { get; }
Property Value

System.String

Remarks

Attribute: true

SecurityGroupName

An attribute that represents the security group name.

public virtual string SecurityGroupName { get; }
Property Value

System.String

Remarks

Attribute: true

SecurityGroupVpcId

The VPC ID this security group is part of.

public virtual string SecurityGroupVpcId { get; }
Property Value

System.String

Remarks

Attribute: true

UniqueId

A unique identifier for this connection peer.

public virtual string UniqueId { get; }
Property Value

System.String

Methods

AddEgressRule(IPeer, Port, String, Nullable<Boolean>)

Add an egress rule for the current security group.

public virtual void AddEgressRule(IPeer peer, Port connection, string description = null, Nullable<bool> remoteRule = null)
Parameters
peer IPeer
connection Port
description System.String
remoteRule System.Nullable<System.Boolean>
Remarks

remoteRule controls where the Rule object is created if the peer is also a securityGroup and they are in different stack. If false (default) the rule object is created under the current SecurityGroup object. If true and the peer is also a SecurityGroup, the rule object is created under the remote SecurityGroup object.

AddIngressRule(IPeer, Port, String, Nullable<Boolean>)

Add an ingress rule for the current security group.

public virtual void AddIngressRule(IPeer peer, Port connection, string description = null, Nullable<bool> remoteRule = null)
Parameters
peer IPeer
connection Port
description System.String
remoteRule System.Nullable<System.Boolean>
Remarks

remoteRule controls where the Rule object is created if the peer is also a securityGroup and they are in different stack. If false (default) the rule object is created under the current SecurityGroup object. If true and the peer is also a SecurityGroup, the rule object is created under the remote SecurityGroup object.

FromLookup(Construct, String, String)

Look up a security group by id.

public static ISecurityGroup FromLookup(Construct scope, string id, string securityGroupId)
Parameters
scope Constructs.Construct
id System.String
securityGroupId System.String
Returns

ISecurityGroup

FromSecurityGroupId(Construct, String, String, ISecurityGroupImportOptions)

Import an existing security group into this app.

public static ISecurityGroup FromSecurityGroupId(Construct scope, string id, string securityGroupId, ISecurityGroupImportOptions options = null)
Parameters
scope Constructs.Construct
id System.String
securityGroupId System.String
options ISecurityGroupImportOptions
Returns

ISecurityGroup

Remarks

This method will assume that the Security Group has a rule in it which allows all outbound traffic, and so will not add egress rules to the imported Security Group (only ingress rules).

If your existing Security Group needs to have egress rules added, pass the allowAllOutbound: false option on import.

IsSecurityGroup(Object)

Return whether the indicated object is a security group.

public static bool IsSecurityGroup(object x)
Parameters
x System.Object
Returns

System.Boolean

ToEgressRuleConfig()

Produce the egress rule JSON for the given connection.

public virtual object ToEgressRuleConfig()
Returns

System.Object

ToIngressRuleConfig()

Produce the ingress rule JSON for the given connection.

public virtual object ToIngressRuleConfig()
Returns

System.Object

Implements

ISecurityGroup
IResource
IConstruct
Constructs.IConstruct
IDependable
IPeer
IConnectable
Back to top Generated by DocFX