Class | AWS::EC2::SecurityGroup |
In: |
lib/aws/ec2/security_group/ip_permission.rb
lib/aws/ec2/security_group/ip_permission_collection.rb lib/aws/ec2/security_group.rb |
Parent: | Resource |
Represents a security group in EC2.
@attr_reader [String] description The short informal description
given when the group was created.
@attr_reader [String] name The name of the security group.
@attr_reader [String] owner_id The security group owner‘s id.
@attr_reader [String,nil] vpc_id If this is a VPC security group,
vpc_id is the ID of the VPC this group was created in. Returns false otherwise.
security_group_id | -> | group_id |
security_group_id | -> | id |
security_group_id | [R] | @return [String] |
Adds ingress rules for ICMP pings. Defaults to 0.0.0.0/0 for the list of allowed IP ranges the ping can come from.
security_group.allow_ping # anyone can ping servers in this group # only allow ping from a particular address security_group.allow_ping('123.123.123.123/0')
@param [String] sources One or more IP ranges to allow ping from.
Defaults to 0.0.0.0/0
@return [nil]
Authorize egress (outbound) traffic for a VPC security group.
# allow traffic for all protocols/ports from the given sources security_group.authorize_egress('10.0.0.0/16', '10.0.0.1/16') # allow tcp traffic outband via port 80 security_group.authorize_egress('10.0.0.0/16', :protocol => :tcp, :ports => 80..80)
@note Calling this method on a non-VPC security group raises an error.
@overload authorize_egress(*sources, options = {})
@param [Mixed] sources One or more CIDR IP addresses, security groups or load balancers. See {#authorize_ingress} for more information on accepted formats for sources. @param [Hash] options @option options [Symbol] :protocol (:any) The protocol name or number to authorize egress traffic for. For a complete list of protocols see: [protocol-numbers.xml](http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml) @option options [Range<Integer>,Integer] :ports (nil) An optional port or range of ports. This option is required depending on the protocol.
@return [nil]
Add an ingress rules to this security group. Ingress rules permit inbound traffic over a given protocol for a given port range from one or more source ip addresses.
This example grants the whole internet (0.0.0.0/0) access to port 80 over TCP (HTTP web traffic).
security_group.authorize_ingress(:tcp, 80)
You can specify port ranges as well:
# ftp security_group.authorize_ingress(:tcp, 20..21)
## Sources
Security groups accept ingress trafic from:
### Ip Addresses
In the following example allow incoming SSH from a list of IP address ranges.
security_group.authorize_ingress(:tcp, 22, '111.111.111.111/0', '222.222.222.222/0')
### Security Groups
To autohrize ingress traffic from all EC2 instance in another security group, just pass the security group:
web = security_groups.create('webservers') db = security_groups.create('database') db.authorize_ingress(:tcp, 3306, web)
You can also pass a hash of security group details instead of a {SecurityGroup} object.
# by security group name sg.authorize_ingress(:tcp, 80, { :group_name => 'other-group' }) # by security group id sg.authorize_ingress(:tcp, 80, { :group_id => 'sg-1234567' })
If the security group belongs to a different account, just make sure it has the correct owner ID populated:
not_my_sg = SecurityGroup.new('sg-1234567', :owner_id => 'abcxyz123') my_sg.authorize_ingress(:tcp, 80, not_my_sg)
You can do the same with a hash as well (with either `:group_id` or `:group_name`):
sg.authorize_ingress(:tcp, 21..22, { :group_id => 'sg-id', :user_id => 'abcxyz123' })
### Load Balancers
If you use ELB to manage load balancers, then you need to add ingress permissions to the security groups they route traffic into. You can do this by passing the {ELB::LoadBalancer} into authorize_ingress:
load_balancer = AWS::ELB.new.load_balancers['web-load-balancer'] sg.authorize_ingress(:tcp, 80, load_balancer)
### Multiple Sources
You can provide multiple sources each time you call authorize ingress, and you can mix and match the source types:
sg.authorize_ingress(:tcp, 80, other_sg, '1.2.3.4/0', load_balancer)
@param [String, Symbol] protocol Should be :tcp, :udp or :icmp
or the string equivalent.
@param [Integer, Range] ports The port (or port range) to allow
traffic through. You can pass a single integer (like 80) or a range (like 20..21).
@param [Mixed] sources One or more CIDR IP addresses,
security groups, or load balancers. Security groups can be specified as hashes. A security group hash must provide either `:group_id` or `:group_name` for the security group. If the security group does not belong to you aws account then you must also provide `:user_id` (which can be an AWS account ID or alias).
@return [nil]
Deletes this security group.
If you attempt to delete a security group that contains instances, or attempt to delete a security group that is referenced by another security group, an error is raised. For example, if security group B has a rule that allows access from security group A, security group A cannot be deleted until the rule is removed. @return [nil]
Removes ingress rules for ICMP pings. Defaults to 0.0.0.0/0 for the list of IP ranges to revoke.
@param [String] sources One or more IP ranges to disallow ping from.
Defaults to 0.0.0.0/0
@return [nil]
@return [SecurityGroup::EgressIpPermissionCollection] Returns a
collection of {IpPermission} objects that represents all of the egress permissions this security group has authorizations for.
@return [SecurityGroup::IngressIpPermissionCollection] Returns a
collection of {IpPermission} objects that represents all of the (ingress) permissions this security group has authorizations for.
@return [InstanceCollection] Returns an instance collection that will
only enumerate instances in this security group.
Revokes an egress (outound) ip permission. This is the inverse operation to {authorize_egress}. See {authorize_egress} for param and option documentation.
@see authorize_egress
@return [nil]
Revokes an ingress (inbound) ip permission. This is the inverse operation to {authorize_ingress}. See {authorize_ingress} for param and option documentation.
@see authorize_ingress
@return [nil]