AWS文件 AWS SDK 範例 GitHub 存放庫中提供了更多 SDK 範例
本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
使用 AWS SDK 為 Amazon EC2 安全群組設定輸入規則
下列程式碼範例示範如何為 Amazon EC2 安全群組設定輸入規則。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
- .NET
-
- AWS SDK for .NET
-
注意
還有更多關於 GitHub。尋找完整範例,並了解如何在AWS 設定和執行程式碼範例儲存庫
。 /// <summary> /// Authorize the local computer ingress to EC2 instances associated /// with the virtual private cloud (VPC) security group. /// </summary> /// <param name="groupName">The name of the security group.</param> /// <returns>A Boolean value indicating the success of the action.</returns> public async Task<bool> AuthorizeSecurityGroupIngress(string groupName) { // Get the IP address for the local computer. var ipAddress = await GetIpAddress(); Console.WriteLine($"Your IP address is: {ipAddress}"); var ipRanges = new List<IpRange> { new IpRange { CidrIp = $"{ipAddress}/32" } }; var permission = new IpPermission { Ipv4Ranges = ipRanges, IpProtocol = "tcp", FromPort = 22, ToPort = 22 }; var permissions = new List<IpPermission> { permission }; var response = await _amazonEC2.AuthorizeSecurityGroupIngressAsync( new AuthorizeSecurityGroupIngressRequest(groupName, permissions)); return response.HttpStatusCode == HttpStatusCode.OK; } /// <summary> /// Authorize the local computer for ingress to /// the Amazon EC2 SecurityGroup. /// </summary> /// <returns>The IPv4 address of the computer running the scenario.</returns> private static async Task<string> GetIpAddress() { var httpClient = new HttpClient(); var ipString = await httpClient.GetStringAsync("https://checkip.amazonaws.com"); // The IP address is returned with a new line // character on the end. Trim off the whitespace and // return the value to the caller. return ipString.Trim(); }-
如需 API 詳細資訊,請參閱 AWS SDK for .NETAPI 參考AuthorizeSecurityGroupIngress中的。
-
- C++
-
- 適用於 C++ 的 SDK
-
注意
還有更多關於 GitHub。尋找完整範例,並了解如何在AWS 設定和執行程式碼範例儲存庫
。 Aws::EC2::EC2Client ec2Client(clientConfiguration); Aws::EC2::Model::IpRange ip_range; ip_range.SetCidrIp("0.0.0.0/0"); Aws::EC2::Model::IpPermission permission1; permission1.SetIpProtocol("tcp"); permission1.SetToPort(80); permission1.SetFromPort(80); permission1.AddIpRanges(ip_range); authorize_request.AddIpPermissions(permission1); Aws::EC2::Model::IpPermission permission2; permission2.SetIpProtocol("tcp"); permission2.SetToPort(22); permission2.SetFromPort(22); permission2.AddIpRanges(ip_range); authorize_request.AddIpPermissions(permission2); const Aws::EC2::Model::AuthorizeSecurityGroupIngressOutcome authorizeOutcome = ec2Client.AuthorizeSecurityGroupIngress(authorizeRequest); if (!authorizeOutcome.IsSuccess()) { std::cerr << "Failed to set ingress policy for security group " << groupName << ":" << authorizeOutcome.GetError().GetMessage() << std::endl; return false; } std::cout << "Successfully added ingress policy to security group " << groupName << std::endl;-
如需 API 詳細資訊,請參閱 AWS SDK for C++API 參考AuthorizeSecurityGroupIngress中的。
-
- CLI
-
- AWS CLI
-
範例 1:新增規則,以允許傳入 SSH 流量
以下
authorize-security-group-ingress範例會新增規則,以允許 TCP 連接埠 22 (SSH) 上的傳入流量。aws ec2 authorize-security-group-ingress \ --group-id sg-1234567890abcdef0 \ --protocol tcp \ --port 22 \ --cidr 203.0.113.0/24輸出:
{ "Return": true, "SecurityGroupRules": [ { "SecurityGroupRuleId": "sgr-01afa97ef3e1bedfc", "GroupId": "sg-1234567890abcdef0", "GroupOwnerId": "123456789012", "IsEgress": false, "IpProtocol": "tcp", "FromPort": 22, "ToPort": 22, "CidrIpv4": "203.0.113.0/24" } ] }範例 2:新增規則,以允許來自其他安全群組的傳入 HTTP 流量
下列
authorize-security-group-ingress範例會新增規則,以允許 TCP 連接埠 80 上來自來源安全群組sg-1a2b3c4d的傳入存取。來源群組必須在相同 VPC 或對等 VPC 中 (需要 VPC 對等互連)。傳入流量會根據與來源安全群組相關聯之執行個體的私有 IP 地址允許 (而非公有 IP 地址或彈性 IP 地址)。aws ec2 authorize-security-group-ingress \ --group-id sg-1234567890abcdef0 \ --protocol tcp \ --port 80 \ --source-group sg-1a2b3c4d輸出:
{ "Return": true, "SecurityGroupRules": [ { "SecurityGroupRuleId": "sgr-01f4be99110f638a7", "GroupId": "sg-1234567890abcdef0", "GroupOwnerId": "123456789012", "IsEgress": false, "IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "ReferencedGroupInfo": { "GroupId": "sg-1a2b3c4d", "UserId": "123456789012" } } ] }範例 3:在相同的呼叫中新增多個規則
下列
authorize-security-group-ingress範例會使用ip-permissions參數來新增兩個傳入規則;一個規則可在 TCP 連接埠 3389 (RDP) 上啟用傳入存取,另一個規則可啟用 Ping/ICMP。AWS EC2- authorize-security-group-ingress 組識別碼 SG-1234567890-IP 權限 IpProtocol = TCP,= 3 FromPort 389,=「[{= 172.31.0.0/16}]」= ICMP,= 1,= -1,=「[{= 172.31.0.0/16}]」ToPort IpRanges CidrIp IpProtocol FromPort ToPort IpRanges CidrIp
輸出:
{ "Return": true, "SecurityGroupRules": [ { "SecurityGroupRuleId": "sgr-00e06e5d3690f29f3", "GroupId": "sg-1234567890abcdef0", "GroupOwnerId": "123456789012", "IsEgress": false, "IpProtocol": "tcp", "FromPort": 3389, "ToPort": 3389, "CidrIpv4": "172.31.0.0/16" }, { "SecurityGroupRuleId": "sgr-0a133dd4493944b87", "GroupId": "sg-1234567890abcdef0", "GroupOwnerId": "123456789012", "IsEgress": false, "IpProtocol": "tcp", "FromPort": -1, "ToPort": -1, "CidrIpv4": "172.31.0.0/16" } ] }範例 4:為 ICMP 流量新增規則
下列
authorize-security-group-ingress範例會使用ip-permissions參數來新增傳入規則,以允許來自任何地方的 ICMP 訊息Destination Unreachable: Fragmentation Needed and Don't Fragment was Set(類型 3,代碼 4)。AWS EC2- authorize-security-group-ingress 組標識符號 SG-1234567890-IP-IP 權限 = ICMP,= 3,= 4,=「[{= 0.0.0/0}]」 IpProtocol FromPort ToPort IpRanges CidrIp
輸出:
{ "Return": true, "SecurityGroupRules": [ { "SecurityGroupRuleId": "sgr-0de3811019069b787", "GroupId": "sg-1234567890abcdef0", "GroupOwnerId": "123456789012", "IsEgress": false, "IpProtocol": "icmp", "FromPort": 3, "ToPort": 4, "CidrIpv4": "0.0.0.0/0" } ] }範例 5:為 IPv6 流量新增規則
下列
authorize-security-group-ingress範例會使用ip-permissions參數新增傳入規則,以允許來自 IPv6 範圍2001:db8:1234:1a00::/64的 SSH 存取 (連接埠 22)。AWS EC2- authorize-security-group-ingress 組識別碼 SG-1234567890 固定-IP 權限 = TCP, = 22, = 22, 知識產品 6 範圍 = "[{6 = 2001: 分貝 8:1234:1 A00::/ IpProtocol64}]」FromPort ToPort CidrIpv
輸出:
{ "Return": true, "SecurityGroupRules": [ { "SecurityGroupRuleId": "sgr-0455bc68b60805563", "GroupId": "sg-1234567890abcdef0", "GroupOwnerId": "123456789012", "IsEgress": false, "IpProtocol": "tcp", "FromPort": 22, "ToPort": 22, "CidrIpv6": "2001:db8:1234:1a00::/64" } ] }範例 6:為 ICMPv6 流量新增規則
下列
authorize-security-group-ingress範例會使用ip-permissions參數來新增傳入規則,以允許來自任何地方的 ICMPv6 流量。AWS EC2- authorize-security-group-ingress 組識別碼 SG-1234567890ABCDEF-IP 權限 = ICMP6 的範圍 = "[{6 =:: /0}]」 IpProtocol CidrIpv
輸出:
{ "Return": true, "SecurityGroupRules": [ { "SecurityGroupRuleId": "sgr-04b612d9363ab6327", "GroupId": "sg-1234567890abcdef0", "GroupOwnerId": "123456789012", "IsEgress": false, "IpProtocol": "icmpv6", "FromPort": -1, "ToPort": -1, "CidrIpv6": "::/0" } ] }範例 7:新增具有描述的規則
下列
authorize-security-group-ingress範例會使用ip-permissions參數來新增傳入規則,以允許來自指定 IPv4 地址範圍的 RDP 流量。此規則提供描述,可於稍後協助識別。AWS EC2- authorize-security-group-ingress 組識別碼 SG-1234567890 安裝-IP 權限 IpProtocol = TCP,= 3389,= 3389,= "[{= 203.0.113.0/24,描述 = 'RDP 訪問來自紐約辦公室'}]」FromPort ToPort IpRanges CidrIp
輸出:
{ "Return": true, "SecurityGroupRules": [ { "SecurityGroupRuleId": "sgr-0397bbcc01e974db3", "GroupId": "sg-1234567890abcdef0", "GroupOwnerId": "123456789012", "IsEgress": false, "IpProtocol": "tcp", "FromPort": 3389, "ToPort": 3389, "CidrIpv4": "203.0.113.0/24", "Description": "RDP access from NY office" } ] }範例 8:新增使用字首清單的傳入規則
下列
authorize-security-group-ingress範例會使用ip-permissions參數來新增傳入規則,以允許指定字首清單中 CIDR 範圍適用的所有流量。AWS EC2 authorize-security-group-ingress -組識別碼標識符號 IpProtocol PrefixListIds PrefixListId
輸出:
{ "Return": true, "SecurityGroupRules": [ { "SecurityGroupRuleId": "sgr-09c74b32f677c6c7c", "GroupId": "sg-1234567890abcdef0", "GroupOwnerId": "123456789012", "IsEgress": false, "IpProtocol": "-1", "FromPort": -1, "ToPort": -1, "PrefixListId": "pl-0721453c7ac4ec009" } ] }如需詳細資訊,請參閱《Amazon VPC 使用者指南》中的安全群組。
-
如需 API 詳細資訊,請參閱AWS CLI命令參考AuthorizeSecurityGroupIngress
中的。
-
- Java
-
- 適用於 Java 2.x 的 SDK
-
注意
還有更多關於 GitHub。尋找完整範例,並了解如何在AWS 設定和執行程式碼範例儲存庫
。 public static String createSecurityGroup(Ec2Client ec2, String groupName, String groupDesc, String vpcId, String myIpAddress) { try { CreateSecurityGroupRequest createRequest = CreateSecurityGroupRequest.builder() .groupName(groupName) .description(groupDesc) .vpcId(vpcId) .build(); CreateSecurityGroupResponse resp = ec2.createSecurityGroup(createRequest); IpRange ipRange = IpRange.builder() .cidrIp(myIpAddress + "/0") .build(); IpPermission ipPerm = IpPermission.builder() .ipProtocol("tcp") .toPort(80) .fromPort(80) .ipRanges(ipRange) .build(); IpPermission ipPerm2 = IpPermission.builder() .ipProtocol("tcp") .toPort(22) .fromPort(22) .ipRanges(ipRange) .build(); AuthorizeSecurityGroupIngressRequest authRequest = AuthorizeSecurityGroupIngressRequest.builder() .groupName(groupName) .ipPermissions(ipPerm, ipPerm2) .build(); ec2.authorizeSecurityGroupIngress(authRequest); System.out.println("Successfully added ingress policy to security group " + groupName); return resp.groupId(); } catch (Ec2Exception e) { System.err.println(e.awsErrorDetails().errorMessage()); System.exit(1); } return ""; }-
如需 API 詳細資訊,請參閱 AWS SDK for Java 2.xAPI 參考AuthorizeSecurityGroupIngress中的。
-
- JavaScript
-
- 適用於 JavaScript (v3) 的開發套件
-
注意
還有更多關於 GitHub。尋找完整範例,並了解如何在AWS 設定和執行程式碼範例儲存庫
。 import { AuthorizeSecurityGroupIngressCommand } from "@aws-sdk/client-ec2"; import { client } from "../libs/client.js"; // Grant permissions for a single IP address to ssh into instances // within the provided security group. export const main = async () => { const command = new AuthorizeSecurityGroupIngressCommand({ // Replace with a security group ID from the AWS console or // the DescribeSecurityGroupsCommand. GroupId: "SECURITY_GROUP_ID", IpPermissions: [ { IpProtocol: "tcp", FromPort: 22, ToPort: 22, // Replace 0.0.0.0 with the IP address to authorize. // For more information on this notation, see // https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_notation IpRanges: [{ CidrIp: "0.0.0.0/32" }], }, ], }); try { const { SecurityGroupRules } = await client.send(command); console.log(JSON.stringify(SecurityGroupRules, null, 2)); } catch (err) { console.error(err); } };-
如需 API 詳細資訊,請參閱 AWS SDK for JavaScriptAPI 參考AuthorizeSecurityGroupIngress中的。
-
- Kotlin
-
- 適用於 Kotlin 的 SDK
-
注意
還有更多關於 GitHub。尋找完整範例,並了解如何在AWS 設定和執行程式碼範例儲存庫
。 suspend fun createEC2SecurityGroupSc(groupNameVal: String?, groupDescVal: String?, vpcIdVal: String?, myIpAddress: String?): String? { val request = CreateSecurityGroupRequest { groupName = groupNameVal description = groupDescVal vpcId = vpcIdVal } Ec2Client { region = "us-west-2" }.use { ec2 -> val resp = ec2.createSecurityGroup(request) val ipRange = IpRange { cidrIp = "$myIpAddress/0" } val ipPerm = IpPermission { ipProtocol = "tcp" toPort = 80 fromPort = 80 ipRanges = listOf(ipRange) } val ipPerm2 = IpPermission { ipProtocol = "tcp" toPort = 22 fromPort = 22 ipRanges = listOf(ipRange) } val authRequest = AuthorizeSecurityGroupIngressRequest { groupName = groupNameVal ipPermissions = listOf(ipPerm, ipPerm2) } ec2.authorizeSecurityGroupIngress(authRequest) println("Successfully added ingress policy to Security Group $groupNameVal") return resp.groupId } }-
有關 API 的詳細信息,請參閱 AWSSDK AuthorizeSecurityGroupIngress
中的 Kotlin API 參考。
-
- Python
-
- 適用於 Python (Boto3) 的 SDK
-
注意
還有更多關於 GitHub。尋找完整範例,並了解如何在AWS 設定和執行程式碼範例儲存庫
。 class SecurityGroupWrapper: """Encapsulates Amazon Elastic Compute Cloud (Amazon EC2) security group actions.""" def __init__(self, ec2_resource, security_group=None): """ :param ec2_resource: A Boto3 Amazon EC2 resource. This high-level resource is used to create additional high-level objects that wrap low-level Amazon EC2 service actions. :param security_group: A Boto3 SecurityGroup object. This is a high-level object that wraps security group actions. """ self.ec2_resource = ec2_resource self.security_group = security_group @classmethod def from_resource(cls): ec2_resource = boto3.resource("ec2") return cls(ec2_resource) def authorize_ingress(self, ssh_ingress_ip): """ Adds a rule to the security group to allow access to SSH. :param ssh_ingress_ip: The IP address that is granted inbound access to connect to port 22 over TCP, used for SSH. :return: The response to the authorization request. The 'Return' field of the response indicates whether the request succeeded or failed. """ if self.security_group is None: logger.info("No security group to update.") return try: ip_permissions = [ { # SSH ingress open to only the specified IP address. "IpProtocol": "tcp", "FromPort": 22, "ToPort": 22, "IpRanges": [{"CidrIp": f"{ssh_ingress_ip}/32"}], } ] response = self.security_group.authorize_ingress( IpPermissions=ip_permissions ) except ClientError as err: logger.error( "Couldn't authorize inbound rules for %s. Here's why: %s: %s", self.security_group.id, err.response["Error"]["Code"], err.response["Error"]["Message"], ) raise else: return response-
如需 API 的詳細資訊,請參閱AWS開發套件AuthorizeSecurityGroupIngress中的 Python (博托 3) API 參考。
-
