AWS SDK for .NET
Developer Guide

Creating a Security Group in Amazon EC2

In Amazon EC2, a security group acts as a virtual firewall that controls the network traffic for one or more EC2 instances. By default, Amazon EC2 associates your instances with a security group that allows no inbound traffic. You can create a security group that allows your EC2 instances to accept certain traffic. For example, if you need to connect to an EC2 Windows instance, you must configure the security group to allow RDP traffic. You can create a security group by using the Amazon EC2 console or the AWS SDK for .NET.

You create a security group for use in either EC2-Classic or EC2-VPC. For more information about EC2-Classic and EC2-VPC, see Supported Platforms in the Amazon EC2 User Guide for Windows Instances.

Alternatively, you can create a security group using the Amazon EC2 console. For more information, see Amazon EC2 Security Groups in the Amazon EC2 User Guide for Windows Instances.

Enumerate Your Security Groups

You can enumerate your security groups and check whether a security group exists.

To enumerate your security groups

Get the complete list of your security groups using DescribeSecurityGroups with no parameters.

The following example enumerates all of the security groups in the region.

static void EnumerateSecurityGroups(AmazonEC2Client ec2Client) { var request = new DescribeSecurityGroupsRequest(); var response = ec2Client.DescribeSecurityGroups(request); List<SecurityGroup> mySGs = response.SecurityGroups; foreach (SecurityGroup item in mySGs) { Console.WriteLine("Security group: " + item.GroupId); Console.WriteLine("\tGroupId: " + item.GroupId); Console.WriteLine("\tGroupName: " + item.GroupName); Console.WriteLine("\tVpcId: " + item.VpcId); Console.WriteLine(); } }

To enumerate your security groups for a particular VPC

Use DescribeSecurityGroups with a filter.

The following example retrieves only the security groups that belong to the specified VPC.

static void EnumerateVpcSecurityGroups(AmazonEC2Client ec2Client, string vpcID) { Filter vpcFilter = new Filter { Name = "vpc-id", Values = new List<string>() { vpcID } }; var request = new DescribeSecurityGroupsRequest(); request.Filters.Add(vpcFilter); var response = ec2Client.DescribeSecurityGroups(request); List<SecurityGroup> mySGs = response.SecurityGroups; foreach (SecurityGroup item in mySGs) { Console.WriteLine("Security group: " + item.GroupId); Console.WriteLine("\tGroupId: " + item.GroupId); Console.WriteLine("\tGroupName: " + item.GroupName); Console.WriteLine("\tVpcId: " + item.VpcId); Console.WriteLine(); } }

If you attempt to create a security group with a name of an existing security group, CreateSecurityGroup will throw an exception. To avoid this, the following examples search for a security group with the specified name, and return the appropriate SecurityGroup object if one is found.

To create a security group for EC2-Classic

Create and initialize a CreateSecurityGroupRequest object. Assign a name and description to the GroupName and Description properties, respectively.

The CreateSecurityGroup method returns a CreateSecurityGroupResponse object. You can get the identifier of the new security group from the response and then use DescribeSecurityGroups with the security group identifier to get the SecurityGroup object for the security group.

static SecurityGroup CreateEc2SecurityGroup( AmazonEC2Client ec2Client, string secGroupName) { // See if a security group with the specified name already exists Filter nameFilter = new Filter(); nameFilter.Name = "group-name"; nameFilter.Values= new List<string>() { secGroupName }; var describeRequest = new DescribeSecurityGroupsRequest(); describeRequest.Filters.Add(nameFilter); var describeResponse = ec2Client.DescribeSecurityGroups(describeRequest); // If a match was found, return the SecurityGroup object for the security group if(describeResponse.SecurityGroups.Count > 0) { return describeResponse.SecurityGroups[0]; } // Create the security group var createRequest = new CreateSecurityGroupRequest(); createRequest.GroupName = secGroupName; createRequest.Description = "My sample security group for EC2-Classic"; var createResponse = ec2Client.CreateSecurityGroup(createRequest); var Groups = new List<string>() { createResponse.GroupId }; describeRequest = new DescribeSecurityGroupsRequest() { GroupIds = Groups }; describeResponse = ec2Client.DescribeSecurityGroups(describeRequest); return describeResponse.SecurityGroups[0]; }

To create a security group for EC2-VPC

Create and initialize a CreateSecurityGroupRequest object. Assign values to the GroupName, Description, and VpcId properties.

The CreateSecurityGroup method returns a CreateSecurityGroupResponse object. You can get the identifier of the new security group from the response and then use DescribeSecurityGroups with the security group identifier to get the SecurityGroup object for the security group.

static SecurityGroup CreateVpcSecurityGroup( AmazonEC2Client ec2Client, string vpcId, string secGroupName) { // See if a security group with the specified name already exists Filter nameFilter = new Filter(); nameFilter.Name = "group-name"; nameFilter.Values = new List<string>() { secGroupName }; var describeRequest = new DescribeSecurityGroupsRequest(); describeRequest.Filters.Add(nameFilter); var describeResponse = ec2Client.DescribeSecurityGroups(describeRequest); // If a match was found, return the SecurityGroup object for the security group if (describeResponse.SecurityGroups.Count > 0) { return describeResponse.SecurityGroups[0]; } // Create the security group var createRequest = new CreateSecurityGroupRequest(); createRequest.GroupName = secGroupName; createRequest.Description = "My sample security group for EC2-VPC"; createRequest.VpcId = vpcId; var createResponse = ec2Client.CreateSecurityGroup(createRequest); var Groups = new List<string>() { createResponse.GroupId }; describeRequest = new DescribeSecurityGroupsRequest() { GroupIds = Groups }; describeResponse = ec2Client.DescribeSecurityGroups(describeRequest); return describeResponse.SecurityGroups[0]; }

Use the following procedure to add a rule to allow inbound traffic on TCP port 3389 (RDP). This enables you to connect to a Windows instance. If you're launching a Linux instance, use TCP port 22 (SSH) instead.

Note

You can use a service to get the public IP address of your local computer. For example, we provide the following service: http://checkip.amazonaws.com/. To locate another service that provides your IP address, use the search phrase "what is my IP address". If you are connecting through an ISP or from behind your firewall without a static IP address, you need to find out the range of IP addresses used by client computers.

The examples in this section follow from the examples in the previous sections. They assume secGroup is an existing security group.

To add a rule to a security group

  1. Create and initialize an IpPermission object.

    string ipRange = "1.1.1.1/1"; List<string> ranges = new List<string>() { ipRange }; var ipPermission = new IpPermission(); ipPermission.IpProtocol = "tcp"; ipPermission.FromPort = 3389; ipPermission.ToPort = 3389; ipPermission.IpRanges = ranges;
    IpProtocol

    The IP protocol.

    FromPort and ToPort

    The beginning and end of the port range. This example specifies a single port, 3389, which is used to communicate with Windows over RDP.

    IpRanges

    The IP addresses or address ranges, in CIDR notation. For convenience, this example uses 72.21.198.64/24, which authorizes network traffic for a single IP address. You can use http://checkip.amazonaws.com/ to determine your own IP addcress.

  2. Create and initialize an AuthorizeSecurityGroupIngressRequest object.

    var ingressRequest = new AuthorizeSecurityGroupIngressRequest(); ingressRequest.GroupId = secGroup.GroupId; ingressRequest.IpPermissions.Add(ipPermission);
    GroupId

    The identifier of the security group.

    IpPermissions

    The IpPermission object from step 1.

  3. (Optional) You can add additional rules to the IpPermissions collection before going to the next step.

  4. Pass the AuthorizeSecurityGroupIngressRequest object to the AuthorizeSecurityGroupIngress method, which returns an AuthorizeSecurityGroupIngressResponse object. If a matching rule already exists, an AmazonEC2Exception is thrown.

    try { var ingressResponse = ec2Client.AuthorizeSecurityGroupIngress(ingressRequest); Console.WriteLine("New RDP rule for: " + ipRange); } catch (AmazonEC2Exception ex) { // Check the ErrorCode to see if the rule already exists if ("InvalidPermission.Duplicate" == ex.ErrorCode) { Console.WriteLine("An RDP rule for: {0} already exists.", ipRange); } else { // The exception was thrown for another reason, so re-throw the exception throw; } }