Work with security groups

To create a security group

1. Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

2. In the navigation pane, choose Security Groups.

3. Choose Create security group.

4. In the Basic details section, do the following.

   1. Enter a descriptive name and brief description for the security group. They can't be edited after the security group is created. The name and description can be up to 255 characters long. The valid characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=&;{}!$*.

   2. For VPC, choose the VPC.

5. You can add security group rules now, or you can add them later. For more information, see Add rules to a security group.

6. You can add tags now, or you can add them later. To add a tag, choose Add new tag and enter the tag key and value.

7. Choose Create security group.

To create a security group

1. Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

2. In the navigation pane, choose Security Groups.

3. Choose Create Security Group.

4. Specify a name and description for the security group.

5. For VPC, choose the ID of the VPC.

6. You can start adding rules, or you can choose Create to create the security group now (you can always add rules later). For more information about adding rules, see Add rules to a security group.

To copy a security group

1. Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

2. In the navigation pane, choose Security Groups.

3. Select the security group to copy and choose Actions, Copy to new security group.

4. Specify a name and optional description, and change the VPC and security group rules if needed.

5. Choose Create.

To copy a security group

1. Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

2. In the navigation pane, choose Security Groups.

3. Select the security group you want to copy, choose Actions, Copy to new.

4. The Create Security Group dialog opens, and is populated with the rules from the existing security group. Specify a name and description for your new security group. For VPC, choose the ID of the VPC. When you are done, choose Create.

To view your security groups

1. Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

2. In the navigation pane, choose Security Groups.

3. Your security groups are listed. To view the details for a specific security group, including its inbound and outbound rules, choose its ID in the Security group ID column.

To view your security groups

1. Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

2. In the navigation pane, choose Security Groups.

3. (Optional) Select VPC ID from the filter list, then choose the ID of the VPC.

4. Select a security group. General information is displayed on the Description tab, inbound rules on the Inbound tab, outbound rules on the Outbound tab, and tags on the Tags tab.

To add an inbound rule to a security group

1. Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

2. In the navigation pane, choose Security Groups.

3. Select the security group, and choose Actions, Edit inbound rules.

4. For each rule, choose Add rule and do the following.

   1. For Type, choose the type of protocol to allow.

      • For custom TCP or UDP, you must enter the port range to allow.

      • For custom ICMP, you must choose the ICMP type from Protocol, and, if applicable, the code from Port range. For example, to allow ping commands, choose Echo Request from Protocol.

      • For any other type, the protocol and port range are configured for you.

   2. For Source, do one of the following to allow traffic.

      • Choose Custom and then enter an IP address in CIDR notation, a CIDR block, another security group, or a prefix list.

      • Choose Anywhere to allow all traffic for the specified protocol to reach your instance. This option automatically adds the 0.0.0.0/0 IPv4 CIDR block as the source. If your security group is in a VPC that's enabled for IPv6, this option automatically adds a rule for the ::/0 IPv6 CIDR block.

        Warning

        If you choose Anywhere, you enable all IPv4 and IPv6 addresses to access your instance the specified protocol. If you are adding rules for ports 22 (SSH) or 3389 (RDP), you should authorize only a specific IP address or range of addresses to access your instance.

      • Choose My IP to allow inbound traffic from only your local computer's public IPv4 address.

   3. For Description, optionally specify a brief description for the rule.

5. Choose Preview changes, Save rules.

To add an outbound rule to a security group

1. Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

2. In the navigation pane, choose Security Groups.

3. Select the security group, and choose Actions, Edit outbound rules.

4. For each rule, choose Add rule and do the following.

   1. For Type, choose the type of protocol to allow.

      • For custom TCP or UDP, you must enter the port range to allow.

      • For custom ICMP, you must choose the ICMP type from Protocol, and, if applicable, the code from Port range.

      • For any other type, the protocol and port range are configured automatically.

   2. For Destination, do one of the following.

      • Choose Custom and then enter an IP address in CIDR notation, a CIDR block, another security group, or a prefix list for which to allow outbound traffic.

      • Choose Anywhere to allow outbound traffic to all IP addresses. This option automatically adds the 0.0.0.0/0 IPv4 CIDR block as the destination.

        If your security group is in a VPC that's enabled for IPv6, this option automatically adds a rule for the ::/0 IPv6 CIDR block.

      • Choose My IP to allow outbound traffic only to your local computer's public IPv4 address.

   3. (Optional) For Description, specify a brief description for the rule.

5. Choose Preview changes, Confirm.

To add rules to a security group

1. Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

2. In the navigation pane, choose Security Groups and select the security group.

3. On the Inbound tab, choose Edit.

4. In the dialog, choose Add Rule and do the following:

   • For Type, select the protocol.

   • If you select a custom TCP or UDP protocol, specify the port range in Port Range.

   • If you select a custom ICMP protocol, choose the ICMP type name from Protocol, and, if applicable, the code name from Port Range. For example, to allow ping commands, choose Echo Request from Protocol.

   • For Source, choose one of the following:

     • Custom: in the provided field, you must specify an IP address in CIDR notation, a CIDR block, or another security group.

     • Choose Anywhere to allow all traffic for the specified protocol to reach your instance. This option automatically adds the 0.0.0.0/0 IPv4 CIDR block as the source. If your security group is in a VPC that's enabled for IPv6, this option automatically adds a rule for the ::/0 IPv6 CIDR block.

       Warning

       If you choose Anywhere, you enable all IPv4 and IPv6 addresses to access your instance using the specified protocol. If you are adding rules for ports 22 (SSH) or 3389 (RDP), you should authorize only a specific IP address or range of addresses to access your instance.

     • My IP: automatically adds the public IPv4 address of your local computer.

   • For Description, you can optionally specify a description for the rule.

   For more information about the types of rules that you can add, see Security group rules for different use cases.

5. Choose Save.

6. You can also specify outbound rules. On the Outbound tab, choose Edit, Add Rule, and do the following:

   • For Type, select the protocol.

   • If you select a custom TCP or UDP protocol, specify the port range in Port Range.

   • If you select a custom ICMP protocol, choose the ICMP type name from Protocol, and, if applicable, the code name from Port Range.

   • For Destination, choose one of the following:

     • Custom: in the provided field, you must specify an IP address in CIDR notation, a CIDR block, or another security group.

     • Anywhere: automatically adds the 0.0.0.0/0 IPv4 CIDR block. This option enables outbound traffic to all IP addresses.

       If your security group is in a VPC that's enabled for IPv6, the Anywhere option creates two rules—one for IPv4 traffic (0.0.0.0/0) and one for IPv6 traffic (::/0).

     • My IP: automatically adds the IP address of your local computer.

   • For Description, you can optionally specify a description for the rule.

7. Choose Save.

To update a security group rule

1. Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

2. In the navigation pane, choose Security Groups.

3. Select the security group.

4. Choose Actions, Edit inbound rules to update a rule for inbound traffic or Actions, Edit outbound rules to update a rule for outbound traffic.

5. Update the rule as required.

6. Choose Preview changes, Confirm.

To tag a security group rule

1. Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

2. In the navigation pane, choose Security Groups.

3. Select the security group.

4. On the Inbound rules or Outbound rules tab, select the check box for the rule and then choose Manage tags.

5. The Manage tags page displays any tags that are assigned to the rule. To add a tag, choose Add tag and enter the tag key and value. To delete a tag, choose Remove next to the tag that you want to delete.

6. Choose Save changes.

To update a security group rule

1. Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

2. In the navigation pane, choose Security Groups.

3. Select the security group to update, and choose the Inbound tab to update a rule for inbound traffic or the Outbound tab to update a rule for outbound traffic.

4. Choose Edit.

5. Modify the rule entry as required and choose Save.

To delete a security group rule

1. Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

2. In the navigation pane, choose Security Groups.

3. Select the security group to update, choose Actions, and then choose Edit inbound rules to remove an inbound rule or Edit outbound rules to remove an outbound rule.

4. Choose the Delete button to the right of the rule to delete.

5. Choose Preview changes, Confirm.

To delete a security group rule

1. Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

2. In the navigation pane, choose Security Groups.

3. Select a security group.

4. On the Inbound tab (for inbound rules) or Outbound tab (for outbound rules), choose Edit. Choose Delete (a cross icon) next to each rule to delete.

5. Choose Save.

To delete a security group

1. Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

2. In the navigation pane, choose Security Groups.

3. Select the security group to delete and choose Actions, Delete security group, Delete.

To delete a security group

1. Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

2. In the navigation pane, choose Security Groups.

3. Select a security group and choose Actions, Delete Security Group.

4. Choose Yes, Delete.

To change the security groups for an instance using the console

1. Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

2. In the navigation pane, choose Instances.

3. Select your instance, and then choose Actions, Security, Change security groups.

4. For Associated security groups, select a security group from the list and choose Add security group.

   To remove an already associated security group, choose Remove for that security group.

5. Choose Save.

To change the security groups for an instance using the console

1. Open the Amazon EC2 console at https://console.amazonaws.cn/ec2/.

2. In the navigation pane, choose Instances.

3. Select your instance, and then choose Actions, Networking, Change Security Groups.

4. To add one or more security groups, select its check box.

   To remove an already associated security group, clear its check box.

5. Choose Assign Security Groups.