AuthorizeSecurityGroupIngress - Amazon Elastic Compute Cloud
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

AuthorizeSecurityGroupIngress

Adds the specified inbound (ingress) rules to a security group.

An inbound rule permits instances to receive traffic from the specified IPv4 or IPv6 CIDR address range, or from the instances that are associated with the specified destination security groups. When specifying an inbound rule for your security group in a VPC, the IpPermissions must include a source for the traffic.

You specify a protocol for each rule (for example, TCP). For TCP and UDP, you must also specify the destination port or port range. For ICMP/ICMPv6, you must also specify the ICMP/ICMPv6 type and code. You can use -1 to mean all types or all codes.

Rule changes are propagated to instances within the security group as quickly as possible. However, a small delay might occur.

For more information about VPC security group quotas, see Amazon VPC quotas.

Note

We are retiring EC2-Classic. We recommend that you migrate from EC2-Classic to a VPC. For more information, see Migrate from EC2-Classic to a VPC in the Amazon Elastic Compute Cloud User Guide.

Request Parameters

The following parameters are for this specific action. For more information about required and optional parameters that are common to all actions, see Common Query Parameters.

CidrIp

The IPv4 address range, in CIDR format. You can't specify this parameter when specifying a source security group. To specify an IPv6 address range, use a set of IP permissions.

Alternatively, use a set of IP permissions to specify multiple rules and a description for the rule.

Type: String

Required: No

DryRun

Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.

Type: Boolean

Required: No

FromPort

If the protocol is TCP or UDP, this is the start of the port range. If the protocol is ICMP, this is the type number. A value of -1 indicates all ICMP types. If you specify all ICMP types, you must specify all ICMP codes.

Alternatively, use a set of IP permissions to specify multiple rules and a description for the rule.

Type: Integer

Required: No

GroupId

The ID of the security group. You must specify either the security group ID or the security group name in the request. For security groups in a nondefault VPC, you must specify the security group ID.

Type: String

Required: No

GroupName

[EC2-Classic, default VPC] The name of the security group. You must specify either the security group ID or the security group name in the request. For security groups in a nondefault VPC, you must specify the security group ID.

Type: String

Required: No

IpPermissions.N

The sets of IP permissions.

Type: Array of IpPermission objects

Required: No

IpProtocol

The IP protocol name (tcp, udp, icmp) or number (see Protocol Numbers). To specify icmpv6, use a set of IP permissions.

[VPC only] Use -1 to specify all protocols. If you specify -1 or a protocol other than tcp, udp, or icmp, traffic on all ports is allowed, regardless of any ports you specify.

Alternatively, use a set of IP permissions to specify multiple rules and a description for the rule.

Type: String

Required: No

SourceSecurityGroupName

[EC2-Classic, default VPC] The name of the source security group. You can't specify this parameter in combination with the following parameters: the CIDR IP address range, the start of the port range, the IP protocol, and the end of the port range. Creates rules that grant full ICMP, UDP, and TCP access. To create a rule with a specific IP protocol and port range, use a set of IP permissions instead. For EC2-VPC, the source security group must be in the same VPC.

Type: String

Required: No

SourceSecurityGroupOwnerId

[nondefault VPC] The Amazon account ID for the source security group, if the source security group is in a different account. You can't specify this parameter in combination with the following parameters: the CIDR IP address range, the IP protocol, the start of the port range, and the end of the port range. Creates rules that grant full ICMP, UDP, and TCP access. To create a rule with a specific IP protocol and port range, use a set of IP permissions instead.

Type: String

Required: No

TagSpecification.N

[VPC Only] The tags applied to the security group rule.

Type: Array of TagSpecification objects

Required: No

ToPort

If the protocol is TCP or UDP, this is the end of the port range. If the protocol is ICMP, this is the code. A value of -1 indicates all ICMP codes. If you specify all ICMP types, you must specify all ICMP codes.

Alternatively, use a set of IP permissions to specify multiple rules and a description for the rule.

Type: Integer

Required: No

Response Elements

The following elements are returned by the service.

requestId

The ID of the request.

Type: String

return

Returns true if the request succeeds; otherwise, returns an error.

Type: Boolean

securityGroupRuleSet

Information about the inbound (ingress) security group rules that were added.

Type: Array of SecurityGroupRule objects

Errors

For information about the errors that are common to all actions, see Common client error codes.

Examples

Example 1

[EC2-Classic] This example request grants TCP port 80 access from the 192.0.2.0/24 and 198.51.100.0/24 IPv4 address ranges to the security group in EC2-Classic named websrv.

Sample Request

https://ec2.amazonaws.com/?Action=AuthorizeSecurityGroupIngress &GroupName=websrv &IpPermissions.1.IpProtocol=tcp &IpPermissions.1.FromPort=80 &IpPermissions.1.ToPort=80 &IpPermissions.1.IpRanges.1.CidrIp=192.0.2.0/24 &IpPermissions.1.IpRanges.2.CidrIp=198.51.100.0/24 &AUTHPARAMS

Example 2

[EC2-Classic, default VPC] This example request grants full ICMP, UDP, and TCP access from a source group called webserver1 (in Amazon account 123456789012) to a security group in your account with the ID sg-1a2b3c4d. For EC2-VPC, the group owner ID parameter is not required, and the source security group must be in the same VPC. For an example of granting access to specific protocols and ports, see example 3.

Sample Request

https://ec2.amazonaws.com/?Action=AuthorizeSecurityGroupIngress &GroupId=sg-1a2b3c4d &SourceSecurityGroupOwnerId=123456789012 &SourceSecurityGroupName=webserver1 &AUTHPARAMS

Example 3

[EC2-Classic, default VPC] This example request grants TCP port 80 access from the source group named OtherAccountGroup (in Amazon account 123456789012) to the security group named websrv. For EC2-VPC, the user ID parameter is not required, and the source security group must be in the same VPC.

Sample Request

https://ec2.amazonaws.com/?Action=AuthorizeSecurityGroupIngress &GroupName=websrv &IpPermissions.1.IpProtocol=tcp &IpPermissions.1.FromPort=80 &IpPermissions.1.ToPort=80 &IpPermissions.1.Groups.1.GroupName=OtherAccountGroup &IpPermissions.1.Groups.1.UserId=123456789012 &AUTHPARAMS

Example 4

[EC2-VPC] This example request grants TCP port 80 access from the source group sg-2a2b3c4d to the security group sg-1a2b3c4d. In EC2-VPC, you must use the security group IDs in a request, not the security group names. The source security group must be in the same VPC or in a peer VPC (requires a VPC peering connection).

Sample Request

https://ec2.amazonaws.com/?Action=AuthorizeSecurityGroupIngress &GroupId=sg-1a2b3c4d &IpPermissions.1.IpProtocol=tcp &IpPermissions.1.FromPort=80 &IpPermissions.1.ToPort=80 &IpPermissions.1.Groups.1.GroupId=sg-2a2b3c4d &AUTHPARAMS

Example 5

[EC2-Classic, default VPC] This example request grants your local system the ability to use SSH (port 22) to connect to any instance in the security group named default. For a nondefault VPC, use the GroupId parameter instead.

Sample Request

https://ec2.amazonaws.com/ ?Action=AuthorizeSecurityGroupIngress &GroupName=default &IpPermissions.1.IpProtocol=tcp &IpPermissions.1.FromPort=22 &IpPermissions.1.ToPort=22 &IpPermissions.1.IpRanges.1.CidrIp=your-local-system's-public-ip-address/32 &AUTHPARAMS

Example 6

[EC2-Classic, default VPC] This example request grants your local system the ability to use Remote Desktop (port 3389) to connect to any instance in the security group named default. For a nondefault VPC, use the GroupId parameter instead.

Sample Request

https://ec2.amazonaws.com/ ?Action=AuthorizeSecurityGroupIngress &GroupName=default &IpPermissions.1.IpProtocol=tcp &IpPermissions.1.FromPort=3389 &IpPermissions.1.ToPort=3389 &IpPermissions.1.IpRanges.1.CidrIp=your-local-system's-public-ip-address/32

Example 7

[EC2-VPC] This example grants SSH access (port 22) from the IPv6 range 2001:db8:1234:1a00::/64.

Sample Request

https://ec2.amazonaws.com/ ?Action=AuthorizeSecurityGroupIngress &GroupId=sg-1a2b3c4d &IpPermissions.1.IpProtocol=tcp &IpPermissions.1.FromPort=22 &IpPermissions.1.ToPort=22 &IpPermissions.1.Ipv6Ranges.1.CidrIpv6=2001:db8:1234:1a00::/64 &AUTHPARAMS

Example 8

This example grants access over port 3389 (RDP) from the 192.0.2.0/24 IPv4 address range, and includes a description for the rule to help you identify the rule later.

Sample Request

https://ec2.amazonaws.com/?Action=AuthorizeSecurityGroupIngress &GroupId=sg-112233 &IpPermissions.1.IpProtocol=tcp &IpPermissions.1.FromPort=3389 &IpPermissions.1.ToPort=3389 &IpPermissions.1.IpRanges.1.CidrIp=192.0.2.0/24 &IpPermissions.1.IpRanges.1.Description=Access from New York office

See Also

For more information about using this API in one of the language-specific Amazon SDKs, see the following: