本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
AuthorizeSecurityGroupIngress 搭配 AWS SDK或 使用 CLI
下列程式碼範例示範如何使用 AuthorizeSecurityGroupIngress。
動作範例是大型程式的程式碼摘錄,必須在內容中執行。您可以在下列程式碼範例的內容中看到此動作:
- .NET
-
- AWS SDK for .NET
-
注意
還有更多 。 GitHub尋找完整範例,並了解如何在 AWS 程式碼範例儲存庫
中設定和執行。 /// <summary> /// Authorize the local computer ingress to EC2 instances associated /// with the virtual private cloud (VPC) security group. /// </summary> /// <param name="groupName">The name of the security group.</param> /// <returns>A Boolean value indicating the success of the action.</returns> public async Task<bool> AuthorizeSecurityGroupIngress(string groupName) { try { // Get the IP address for the local computer. var ipAddress = await GetIpAddress(); Console.WriteLine($"Your IP address is: {ipAddress}"); var ipRanges = new List<IpRange> { new IpRange { CidrIp = $"{ipAddress}/32" } }; var permission = new IpPermission { Ipv4Ranges = ipRanges, IpProtocol = "tcp", FromPort = 22, ToPort = 22 }; var permissions = new List<IpPermission> { permission }; var response = await _amazonEC2.AuthorizeSecurityGroupIngressAsync( new AuthorizeSecurityGroupIngressRequest(groupName, permissions)); return response.HttpStatusCode == HttpStatusCode.OK; } catch (AmazonEC2Exception ec2Exception) { if (ec2Exception.ErrorCode == "InvalidPermission.Duplicate") { _logger.LogError( $"The ingress rule already exists. {ec2Exception.Message}"); } throw; } catch (Exception ex) { _logger.LogError( $"An error occurred while authorizing ingress.: {ex.Message}"); throw; } } /// <summary> /// Authorize the local computer for ingress to /// the Amazon EC2 SecurityGroup. /// </summary> /// <returns>The IPv4 address of the computer running the scenario.</returns> private static async Task<string> GetIpAddress() { var httpClient = new HttpClient(); var ipString = await httpClient.GetStringAsync("https://checkip.amazonaws.com"); // The IP address is returned with a new line // character on the end. Trim off the whitespace and // return the value to the caller. return ipString.Trim(); }-
如需API詳細資訊,請參閱 參考 AuthorizeSecurityGroupIngress中的 。 AWS SDK for .NET API
-
- Bash
-
- AWS CLI 使用 Bash 指令碼
-
注意
還有更多 。 GitHub尋找完整範例,並了解如何在 AWS 程式碼範例儲存庫
中設定和執行。 ############################################################################### # function ec2_authorize_security_group_ingress # # This function authorizes an ingress rule for an Amazon Elastic Compute Cloud (Amazon EC2) security group. # # Parameters: # -g security_group_id - The ID of the security group. # -i ip_address - The IP address or CIDR block to authorize. # -p protocol - The protocol to authorize (e.g., tcp, udp, icmp). # -f from_port - The start of the port range to authorize. # -t to_port - The end of the port range to authorize. # # And: # 0 - If successful. # 1 - If it fails. ############################################################################### function ec2_authorize_security_group_ingress() { local security_group_id ip_address protocol from_port to_port response local option OPTARG # Required to use getopts command in a function. # bashsupport disable=BP5008 function usage() { echo "function ec2_authorize_security_group_ingress" echo "Authorizes an ingress rule for an Amazon Elastic Compute Cloud (Amazon EC2) security group." echo " -g security_group_id - The ID of the security group." echo " -i ip_address - The IP address or CIDR block to authorize." echo " -p protocol - The protocol to authorize (e.g., tcp, udp, icmp)." echo " -f from_port - The start of the port range to authorize." echo " -t to_port - The end of the port range to authorize." echo "" } # Retrieve the calling parameters. while getopts "g:i:p:f:t:h" option; do case "${option}" in g) security_group_id="${OPTARG}" ;; i) ip_address="${OPTARG}" ;; p) protocol="${OPTARG}" ;; f) from_port="${OPTARG}" ;; t) to_port="${OPTARG}" ;; h) usage return 0 ;; \?) echo "Invalid parameter" usage return 1 ;; esac done export OPTIND=1 if [[ -z "$security_group_id" ]]; then errecho "ERROR: You must provide a security group ID with the -g parameter." usage return 1 fi if [[ -z "$ip_address" ]]; then errecho "ERROR: You must provide an IP address or CIDR block with the -i parameter." usage return 1 fi if [[ -z "$protocol" ]]; then errecho "ERROR: You must provide a protocol with the -p parameter." usage return 1 fi if [[ -z "$from_port" ]]; then errecho "ERROR: You must provide a start port with the -f parameter." usage return 1 fi if [[ -z "$to_port" ]]; then errecho "ERROR: You must provide an end port with the -t parameter." usage return 1 fi response=$(aws ec2 authorize-security-group-ingress \ --group-id "$security_group_id" \ --cidr "${ip_address}/32" \ --protocol "$protocol" \ --port "$from_port-$to_port" \ --output text) || { aws_cli_error_log ${?} errecho "ERROR: AWS reports authorize-security-group-ingress operation failed.$response" return 1 } return 0 }此範例中使用的公用程式函數。
############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################## # function aws_cli_error_log() # # This function is used to log the error messages from the AWS CLI. # # The function expects the following argument: # $1 - The error code returned by the AWS CLI. # # Returns: # 0: - Success. # ############################################################################## function aws_cli_error_log() { local err_code=$1 errecho "Error code : $err_code" if [ "$err_code" == 1 ]; then errecho " One or more S3 transfers failed." elif [ "$err_code" == 2 ]; then errecho " Command line failed to parse." elif [ "$err_code" == 130 ]; then errecho " Process received SIGINT." elif [ "$err_code" == 252 ]; then errecho " Command syntax invalid." elif [ "$err_code" == 253 ]; then errecho " The system environment or configuration was invalid." elif [ "$err_code" == 254 ]; then errecho " The service returned an error." elif [ "$err_code" == 255 ]; then errecho " 255 is a catch-all error." fi return 0 }-
如需API詳細資訊,請參閱 命令參考 AuthorizeSecurityGroupIngress中的 。 AWS CLI
-
- C++
-
- SDK 適用於 C++
-
注意
還有更多 。 GitHub尋找完整範例,並了解如何在 AWS 程式碼範例儲存庫
中設定和執行。 //! Authorize ingress to an Amazon Elastic Compute Cloud (Amazon EC2) group. /*! \param groupID: The EC2 group ID. \param clientConfiguration: The ClientConfiguration object. \return bool: True if the operation was successful, false otherwise. */ bool AwsDoc::EC2::authorizeSecurityGroupIngress(const Aws::String &groupID, const Aws::Client::ClientConfiguration &clientConfiguration) { Aws::EC2::EC2Client ec2Client(clientConfiguration); Aws::EC2::Model::AuthorizeSecurityGroupIngressRequest authorizeSecurityGroupIngressRequest; authorizeSecurityGroupIngressRequest.SetGroupId(groupID); buildSampleIngressRule(authorizeSecurityGroupIngressRequest); Aws::EC2::Model::AuthorizeSecurityGroupIngressOutcome authorizeSecurityGroupIngressOutcome = ec2Client.AuthorizeSecurityGroupIngress(authorizeSecurityGroupIngressRequest); if (authorizeSecurityGroupIngressOutcome.IsSuccess()) { std::cout << "Successfully authorized security group ingress." << std::endl; } else { std::cerr << "Error authorizing security group ingress: " << authorizeSecurityGroupIngressOutcome.GetError().GetMessage() << std::endl; } return authorizeSecurityGroupIngressOutcome.IsSuccess(); }用於建置輸入規則的公用程式函數。
//! Build a sample ingress rule. /*! \param authorize_request: An 'AuthorizeSecurityGroupIngressRequest' instance. \return void: */ void buildSampleIngressRule( Aws::EC2::Model::AuthorizeSecurityGroupIngressRequest &authorize_request) { Aws::String ingressIPRange = "203.0.113.0/24"; // Configure this for your allowed IP range. Aws::EC2::Model::IpRange ip_range; ip_range.SetCidrIp(ingressIPRange); Aws::EC2::Model::IpPermission permission1; permission1.SetIpProtocol("tcp"); permission1.SetToPort(80); permission1.SetFromPort(80); permission1.AddIpRanges(ip_range); authorize_request.AddIpPermissions(permission1); Aws::EC2::Model::IpPermission permission2; permission2.SetIpProtocol("tcp"); permission2.SetToPort(22); permission2.SetFromPort(22); permission2.AddIpRanges(ip_range); authorize_request.AddIpPermissions(permission2); }-
如需API詳細資訊,請參閱 參考 AuthorizeSecurityGroupIngress中的 。 AWS SDK for C++ API
-
- CLI
-
- AWS CLI
-
範例 1:新增允許傳入SSH流量的規則
下列
authorize-security-group-ingress範例新增規則,允許TCP連接埠 22 () 上的傳入流量SSH。aws ec2 authorize-security-group-ingress \ --group-idsg-1234567890abcdef0\ --protocoltcp\ --port22\ --cidr203.0.113.0/24輸出:
{ "Return": true, "SecurityGroupRules": [ { "SecurityGroupRuleId": "sgr-01afa97ef3e1bedfc", "GroupId": "sg-1234567890abcdef0", "GroupOwnerId": "123456789012", "IsEgress": false, "IpProtocol": "tcp", "FromPort": 22, "ToPort": 22, "CidrIpv4": "203.0.113.0/24" } ] }範例 2:新增允許來自其他安全群組的傳入HTTP流量的規則
下列
authorize-security-group-ingress範例新增規則,允許從來源安全群組 對TCP連接埠 80 進行傳入存取sg-1a2b3c4d。來源群組必須位於相同 VPC或對等 VPC(需要VPC對等連線)。傳入流量會根據與來源安全群組相關聯之執行個體的私有 IP 地址允許 (而非公有 IP 地址或彈性 IP 地址)。aws ec2 authorize-security-group-ingress \ --group-idsg-1234567890abcdef0\ --protocoltcp\ --port80\ --source-groupsg-1a2b3c4d輸出:
{ "Return": true, "SecurityGroupRules": [ { "SecurityGroupRuleId": "sgr-01f4be99110f638a7", "GroupId": "sg-1234567890abcdef0", "GroupOwnerId": "123456789012", "IsEgress": false, "IpProtocol": "tcp", "FromPort": 80, "ToPort": 80, "ReferencedGroupInfo": { "GroupId": "sg-1a2b3c4d", "UserId": "123456789012" } } ] }範例 3:在相同的呼叫中新增多個規則
下列
authorize-security-group-ingress範例使用ip-permissions參數來新增兩個傳入規則,其中一個在TCP連接埠 3389 (RDP) 上啟用傳入存取,另一個則啟用 ping/ICMP。aws ec2 authorize-security-group-ingress --group-id sg-1234567890abcdef0 --ip-permissions IpProtocol=tcp,FromPort=3389,ToPort=3389,IpRanges="【{CidrIp=172.31.0.0/16}】" IpProtocol=icmp,FromPort=-1,ToPort=-1,IpRanges="【{CidrIp=172.31.0.0/16}】"
輸出:
{ "Return": true, "SecurityGroupRules": [ { "SecurityGroupRuleId": "sgr-00e06e5d3690f29f3", "GroupId": "sg-1234567890abcdef0", "GroupOwnerId": "123456789012", "IsEgress": false, "IpProtocol": "tcp", "FromPort": 3389, "ToPort": 3389, "CidrIpv4": "172.31.0.0/16" }, { "SecurityGroupRuleId": "sgr-0a133dd4493944b87", "GroupId": "sg-1234567890abcdef0", "GroupOwnerId": "123456789012", "IsEgress": false, "IpProtocol": "tcp", "FromPort": -1, "ToPort": -1, "CidrIpv4": "172.31.0.0/16" } ] }範例 4:新增ICMP流量的規則
下列
authorize-security-group-ingress範例使用ip-permissions參數來新增傳入規則,允許訊息 ICMPDestination Unreachable: Fragmentation Needed and Don't Fragment was Set(類型 3,代碼 4) 來自任何地方。aws ec2 authorize-security-group-ingress --group-id sg-1234567890abcdef0 --ip-permissions IpProtocol=icmp,FromPort=3,ToPort=4,IpRanges="【{CidrIp=0.0.0.0/0}】"
輸出:
{ "Return": true, "SecurityGroupRules": [ { "SecurityGroupRuleId": "sgr-0de3811019069b787", "GroupId": "sg-1234567890abcdef0", "GroupOwnerId": "123456789012", "IsEgress": false, "IpProtocol": "icmp", "FromPort": 3, "ToPort": 4, "CidrIpv4": "0.0.0.0/0" } ] }範例 5:新增IPv6流量的規則
下列
authorize-security-group-ingress範例使用ip-permissions參數來新增允許從 IPv6範圍SSH存取 (連接埠 22) 的傳入規則2001:db8:1234:1a00::/64。aws ec2 authorize-security-group-ingress --group-id sg-1234567890abcdef0 --ip-permissions IpProtocol=tcp,FromPort=22,ToPort=22,Ipv6Ranges ="【{CidrIpv6=2001:db8:1234:1a00:::/64}】"
輸出:
{ "Return": true, "SecurityGroupRules": [ { "SecurityGroupRuleId": "sgr-0455bc68b60805563", "GroupId": "sg-1234567890abcdef0", "GroupOwnerId": "123456789012", "IsEgress": false, "IpProtocol": "tcp", "FromPort": 22, "ToPort": 22, "CidrIpv6": "2001:db8:1234:1a00::/64" } ] }範例 6:新增ICMPv6流量的規則
下列
authorize-security-group-ingress範例使用ip-permissions參數來新增允許來自任何地方ICMPv6流量的傳入規則。aws ec2 authorize-security-group-ingress --group-id sg-1234567890abcdef0 --ip-permissions IpProtocol=icmpv6,Ipv6Ranges ="【{CidrIpv6=::/0}】"
輸出:
{ "Return": true, "SecurityGroupRules": [ { "SecurityGroupRuleId": "sgr-04b612d9363ab6327", "GroupId": "sg-1234567890abcdef0", "GroupOwnerId": "123456789012", "IsEgress": false, "IpProtocol": "icmpv6", "FromPort": -1, "ToPort": -1, "CidrIpv6": "::/0" } ] }範例 7:新增具有描述的規則
下列
authorize-security-group-ingress範例使用ip-permissions參數來新增允許來自指定IPv4地址範圍RDP流量的傳入規則。此規則提供描述,可於稍後協助識別。aws ec2 authorize-security-group-ingress --group-id sg-1234567890abcdef0 --ip-permissions IpProtocol=tcp,FromPort=3389,ToPort=3389,IpRanges="【{CidrIp=203.0.113.0/24,Description='RDP 從紐約辦公室存取'}】"
輸出:
{ "Return": true, "SecurityGroupRules": [ { "SecurityGroupRuleId": "sgr-0397bbcc01e974db3", "GroupId": "sg-1234567890abcdef0", "GroupOwnerId": "123456789012", "IsEgress": false, "IpProtocol": "tcp", "FromPort": 3389, "ToPort": 3389, "CidrIpv4": "203.0.113.0/24", "Description": "RDP access from NY office" } ] }範例 8:新增使用字首清單的傳入規則
下列
authorize-security-group-ingress範例使用ip-permissions參數來新增傳入規則,允許指定字首清單中CIDR範圍的所有流量。aws ec2 authorize-security-group-ingress --group-id sg-04a351bfe432d4e71 --ip-permissions IpProtocol=all,PrefixListIds="【{PrefixListId=pl-002dc3ec097de1514}】"
輸出:
{ "Return": true, "SecurityGroupRules": [ { "SecurityGroupRuleId": "sgr-09c74b32f677c6c7c", "GroupId": "sg-1234567890abcdef0", "GroupOwnerId": "123456789012", "IsEgress": false, "IpProtocol": "-1", "FromPort": -1, "ToPort": -1, "PrefixListId": "pl-0721453c7ac4ec009" } ] }如需詳細資訊,請參閱 Amazon VPC使用者指南 中的安全群組。
-
如需API詳細資訊,請參閱 命令參考 AuthorizeSecurityGroupIngress
中的 。 AWS CLI
-
- Java
-
- SDK 適用於 Java 2.x
-
注意
還有更多 。 GitHub尋找完整範例,並了解如何在 AWS 程式碼範例儲存庫
中設定和執行。 /** * Creates a new security group asynchronously with the specified group name, description, and VPC ID. It also * authorizes inbound traffic on ports 80 and 22 from the specified IP address. * * @param groupName the name of the security group to create * @param groupDesc the description of the security group * @param vpcId the ID of the VPC in which to create the security group * @param myIpAddress the IP address from which to allow inbound traffic (e.g., "192.168.1.1/0" to allow traffic from * any IP address in the 192.168.1.0/24 subnet) * @return a CompletableFuture that, when completed, returns the ID of the created security group * @throws RuntimeException if there was a failure creating the security group or authorizing the inbound traffic */ public CompletableFuture<String> createSecurityGroupAsync(String groupName, String groupDesc, String vpcId, String myIpAddress) { CreateSecurityGroupRequest createRequest = CreateSecurityGroupRequest.builder() .groupName(groupName) .description(groupDesc) .vpcId(vpcId) .build(); return getAsyncClient().createSecurityGroup(createRequest) .thenCompose(createResponse -> { String groupId = createResponse.groupId(); IpRange ipRange = IpRange.builder() .cidrIp(myIpAddress + "/32") .build(); IpPermission ipPerm = IpPermission.builder() .ipProtocol("tcp") .toPort(80) .fromPort(80) .ipRanges(ipRange) .build(); IpPermission ipPerm2 = IpPermission.builder() .ipProtocol("tcp") .toPort(22) .fromPort(22) .ipRanges(ipRange) .build(); AuthorizeSecurityGroupIngressRequest authRequest = AuthorizeSecurityGroupIngressRequest.builder() .groupName(groupName) .ipPermissions(ipPerm, ipPerm2) .build(); return getAsyncClient().authorizeSecurityGroupIngress(authRequest) .thenApply(authResponse -> groupId); }) .whenComplete((result, exception) -> { if (exception != null) { if (exception instanceof CompletionException && exception.getCause() instanceof Ec2Exception) { throw (Ec2Exception) exception.getCause(); } else { throw new RuntimeException("Failed to create security group: " + exception.getMessage(), exception); } } }); }-
如需API詳細資訊,請參閱 參考 AuthorizeSecurityGroupIngress中的 。 AWS SDK for Java 2.x API
-
- JavaScript
-
- SDK 適用於 JavaScript (v3)
-
注意
還有更多 。 GitHub尋找完整範例,並了解如何在 AWS 程式碼範例儲存庫
中設定和執行。 import { AuthorizeSecurityGroupIngressCommand, EC2Client, } from "@aws-sdk/client-ec2"; /** * Adds the specified inbound (ingress) rules to a security group. * @param {{ groupId: string, ipAddress: string }} options */ export const main = async ({ groupId, ipAddress }) => { const client = new EC2Client({}); const command = new AuthorizeSecurityGroupIngressCommand({ // Use a group ID from the AWS console or // the DescribeSecurityGroupsCommand. GroupId: groupId, IpPermissions: [ { IpProtocol: "tcp", FromPort: 22, ToPort: 22, // The IP address to authorize. // For more information on this notation, see // https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing#CIDR_notation IpRanges: [{ CidrIp: `${ipAddress}/32` }], }, ], }); try { const { SecurityGroupRules } = await client.send(command); console.log(JSON.stringify(SecurityGroupRules, null, 2)); } catch (caught) { if (caught instanceof Error && caught.name === "InvalidGroupId.Malformed") { console.warn(`${caught.message}. Please provide a valid GroupId.`); } else { throw caught; } } };-
如需API詳細資訊,請參閱 參考 AuthorizeSecurityGroupIngress中的 。 AWS SDK for JavaScript API
-
- Kotlin
-
- SDK 適用於 Kotlin
-
注意
還有更多 。 GitHub尋找完整範例,並了解如何在 AWS 程式碼範例儲存庫
中設定和執行。 suspend fun createEC2SecurityGroupSc( groupNameVal: String?, groupDescVal: String?, vpcIdVal: String?, myIpAddress: String?, ): String? { val request = CreateSecurityGroupRequest { groupName = groupNameVal description = groupDescVal vpcId = vpcIdVal } Ec2Client { region = "us-west-2" }.use { ec2 -> val resp = ec2.createSecurityGroup(request) val ipRange = IpRange { cidrIp = "$myIpAddress/0" } val ipPerm = IpPermission { ipProtocol = "tcp" toPort = 80 fromPort = 80 ipRanges = listOf(ipRange) } val ipPerm2 = IpPermission { ipProtocol = "tcp" toPort = 22 fromPort = 22 ipRanges = listOf(ipRange) } val authRequest = AuthorizeSecurityGroupIngressRequest { groupName = groupNameVal ipPermissions = listOf(ipPerm, ipPerm2) } ec2.authorizeSecurityGroupIngress(authRequest) println("Successfully added ingress policy to Security Group $groupNameVal") return resp.groupId } }-
如需API詳細資訊,請參閱AuthorizeSecurityGroupIngress
中的 AWS SDK for Kotlin API參考 。
-
- PowerShell
-
- 適用於 的工具 PowerShell
-
範例 1:此範例定義 EC2- 安全群組的傳入規則VPC。這些規則會授予 SSH(連接埠 22) 和 RDC(連接埠 3389) 特定 IP 地址的存取權。請注意,您必須EC2使用安全群組 ID 而非安全群組名稱來識別 VPC的安全群組。此範例使用的語法需要 3 版或更高 PowerShell 版本。
$ip1 = @{ IpProtocol="tcp"; FromPort="22"; ToPort="22"; IpRanges="203.0.113.25/32" } $ip2 = @{ IpProtocol="tcp"; FromPort="3389"; ToPort="3389"; IpRanges="203.0.113.25/32" } Grant-EC2SecurityGroupIngress -GroupId sg-12345678 -IpPermission @( $ip1, $ip2 )範例 2:使用 PowerShell 版本 2 時,您必須使用 New-Object 來建立 IpPermission 物件。
$ip1 = New-Object Amazon.EC2.Model.IpPermission $ip1.IpProtocol = "tcp" $ip1.FromPort = 22 $ip1.ToPort = 22 $ip1.IpRanges.Add("203.0.113.25/32") $ip2 = new-object Amazon.EC2.Model.IpPermission $ip2.IpProtocol = "tcp" $ip2.FromPort = 3389 $ip2.ToPort = 3389 $ip2.IpRanges.Add("203.0.113.25/32") Grant-EC2SecurityGroupIngress -GroupId sg-12345678 -IpPermission @( $ip1, $ip2 )範例 3:此範例定義 EC2-Classic 安全群組的傳入規則。這些規則授予 SSH(連接埠 22) 和 RDC(連接埠 3389) 的特定 IP 地址存取權。此範例使用的語法需要 3 版或更高 PowerShell 版本。
$ip1 = @{ IpProtocol="tcp"; FromPort="22"; ToPort="22"; IpRanges="203.0.113.25/32" } $ip2 = @{ IpProtocol="tcp"; FromPort="3389"; ToPort="3389"; IpRanges="203.0.113.25/32" } Grant-EC2SecurityGroupIngress -GroupName "my-security-group" -IpPermission @( $ip1, $ip2 )範例 4:使用 PowerShell 版本 2 時,您必須使用 New-Object 來建立 IpPermission 物件。
$ip1 = New-Object Amazon.EC2.Model.IpPermission $ip1.IpProtocol = "tcp" $ip1.FromPort = 22 $ip1.ToPort = 22 $ip1.IpRanges.Add("203.0.113.25/32") $ip2 = new-object Amazon.EC2.Model.IpPermission $ip2.IpProtocol = "tcp" $ip2.FromPort = 3389 $ip2.ToPort = 3389 $ip2.IpRanges.Add("203.0.113.25/32") Grant-EC2SecurityGroupIngress -GroupName "my-security-group" -IpPermission @( $ip1, $ip2 )範例 5:此範例會將TCP連接埠 8081 從指定的來源安全群組 (sg-1a2b3c4d) 的存取權授予指定的安全群組 (sg-12345678)。
$ug = New-Object Amazon.EC2.Model.UserIdGroupPair $ug.GroupId = "sg-1a2b3c4d" $ug.UserId = "123456789012" Grant-EC2SecurityGroupIngress -GroupId sg-12345678 -IpPermission @( @{ IpProtocol="tcp"; FromPort="8081"; ToPort="8081"; UserIdGroupPairs=$ug } )範例 6:此範例會將 CIDR 5.5.5.5/32 新增至安全群組 sg-1234abcd 的輸入規則,以說明TCP連接埠 22 流量。
$IpRange = New-Object -TypeName Amazon.EC2.Model.IpRange $IpRange.CidrIp = "5.5.5.5/32" $IpRange.Description = "SSH from Office" $IpPermission = New-Object Amazon.EC2.Model.IpPermission $IpPermission.IpProtocol = "tcp" $IpPermission.ToPort = 22 $IpPermission.FromPort = 22 $IpPermission.Ipv4Ranges = $IpRange Grant-EC2SecurityGroupIngress -GroupId sg-1234abcd -IpPermission $IpPermission-
如需API詳細資訊,請參閱 AWS Tools for PowerShell Cmdlet 參考 AuthorizeSecurityGroupIngress中的 。
-
- Python
-
- SDK for Python (Boto3)
-
注意
還有更多 。 GitHub尋找完整範例,並了解如何在 AWS 程式碼範例儲存庫
中設定和執行。 class SecurityGroupWrapper: """Encapsulates Amazon Elastic Compute Cloud (Amazon EC2) security group actions.""" def __init__(self, ec2_client: boto3.client, security_group: Optional[str] = None): """ Initializes the SecurityGroupWrapper with an EC2 client and an optional security group ID. :param ec2_client: A Boto3 Amazon EC2 client. This client provides low-level access to AWS EC2 services. :param security_group: The ID of a security group to manage. This is a high-level identifier that represents the security group. """ self.ec2_client = ec2_client self.security_group = security_group @classmethod def from_client(cls) -> "SecurityGroupWrapper": """ Creates a SecurityGroupWrapper instance with a default EC2 client. :return: An instance of SecurityGroupWrapper initialized with the default EC2 client. """ ec2_client = boto3.client("ec2") return cls(ec2_client) def authorize_ingress(self, ssh_ingress_ip: str) -> Optional[Dict[str, Any]]: """ Adds a rule to the security group to allow access to SSH. :param ssh_ingress_ip: The IP address that is granted inbound access to connect to port 22 over TCP, used for SSH. :return: The response to the authorization request. The 'Return' field of the response indicates whether the request succeeded or failed, or None if no security group is set. :raise Handles AWS SDK service-level ClientError, with special handling for ResourceAlreadyExists """ if self.security_group is None: logger.info("No security group to update.") return None try: ip_permissions = [ { # SSH ingress open to only the specified IP address. "IpProtocol": "tcp", "FromPort": 22, "ToPort": 22, "IpRanges": [{"CidrIp": f"{ssh_ingress_ip}/32"}], } ] response = self.ec2_client.authorize_security_group_ingress( GroupId=self.security_group, IpPermissions=ip_permissions ) except ClientError as err: if err.response["Error"]["Code"] == "InvalidPermission.Duplicate": logger.error( f"The SSH ingress rule for IP {ssh_ingress_ip} already exists" f"in security group '{self.security_group}'." ) raise else: return response-
如需API詳細資訊,請參閱 AuthorizeSecurityGroupIngress 中的 AWS SDK for Python (Boto3) API參考 。
-
- Rust
-
- SDK for Rust
-
注意
還有更多 。 GitHub尋找完整範例,並了解如何在 AWS 程式碼範例儲存庫
中設定和執行。 /// Add an ingress rule to a security group explicitly allowing IPv4 address /// as {ip}/32 over TCP port 22. pub async fn authorize_security_group_ssh_ingress( &self, group_id: &str, ingress_ips: Vec<Ipv4Addr>, ) -> Result<(), EC2Error> { tracing::info!("Authorizing ingress for security group {group_id}"); self.client .authorize_security_group_ingress() .group_id(group_id) .set_ip_permissions(Some( ingress_ips .into_iter() .map(|ip| { IpPermission::builder() .ip_protocol("tcp") .from_port(22) .to_port(22) .ip_ranges(IpRange::builder().cidr_ip(format!("{ip}/32")).build()) .build() }) .collect(), )) .send() .await?; Ok(()) }-
如需API詳細資訊,請參閱 AuthorizeSecurityGroupIngress
中的 AWS SDK for Rust API參考 。
-
如需開發人員指南和程式碼範例的完整清單 AWS SDK,請參閱 使用 建立 Amazon EC2 資源 AWS SDK。本主題也包含入門的相關資訊,以及先前SDK版本的詳細資訊。
AuthorizeSecurityGroupEgress
CancelCapacityReservation