Class AWS::EC2::SecurityGroup
In: lib/aws/ec2/security_group.rb
lib/aws/ec2/security_group/egress_ip_permission_collection.rb
lib/aws/ec2/security_group/ip_permission.rb
lib/aws/ec2/security_group/ingress_ip_permission_collection.rb
Parent: Resource

Represents a security group in EC2.

@attr_reader [String] description The short informal description

  given when the group was created.

@attr_reader [String] name The name of the security group.

@attr_reader [String] owner_id The security group owner‘s id.

@attr_reader [String,nil] vpc_id If this is a VPC security group,

  vpc_id is the ID of the VPC this group was created in.
  Returns false otherwise.

Methods

Included Modules

TaggedItem

Classes and Modules

Class AWS::EC2::SecurityGroup::EgressIpPermissionCollection
Class AWS::EC2::SecurityGroup::IngressIpPermissionCollection
Class AWS::EC2::SecurityGroup::IpPermission

Constants

IpPermissionCollection = IngressIpPermissionCollection   alias for ingress permissions

External Aliases

security_group_id -> group_id
security_group_id -> id

Attributes

security_group_id  [R]  @return [String]

Public Class methods

Public Instance methods

Adds ingress rules for ICMP pings. Defaults to 0.0.0.0/0 for the list of allowed IP ranges the ping can come from.

  security_group.allow_ping # anyone can ping servers in this group

  # only allow ping from a particular address
  security_group.allow_ping('123.123.123.123/0')

@param [String] ip_ranges One or more IP ranges to allow ping from.

  Defaults to 0.0.0.0/0

@return [nil]

Authorize egress (outbound) traffic for a VPC security group.

  # allow traffic for all protocols/ports from the given sources
  security_group.authorize_egress('10.0.0.0/16', '10.0.0.1/16')

  # allow tcp traffic outband via port 80
  security_group.authorize_egress('10.0.0.0/16',
    :protocol => :tcp, :ports => 80..80)

@note Calling this method on a non-VPC security group raises an error.

@overload authorize_egress(*sources, options = {})

  @param [Mixed] sources One or more CIDR IP addresses,
    security groups or load balancers.  See {#authorize_ingress}
    for more information on accepted formats for sources.

  @param [Hash] options

  @option options [Symbol] :protocol (:any) The protocol name or number
    to authorize egress traffic for.  For a complete list of protocols
    see: {http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml}

  @option options [Range<Integer>,Integer] :ports (nil) An optional
    port or range of ports.  This option is required depending on
    the protocol.

@return [nil]

Add an ingress rules to this security group. Ingress rules permit inbound traffic over a given protocol for a given port range from one or more souce ip addresses.

This example grants the whole internet (0.0.0.0/0) access to port 80 over TCP (HTTP web traffic).

  security_group.authorize_ingress(:tcp, 80)

You can specify port ranges as well:

  # ftp
  security_group.authorize_ingress(:tcp, 20..21)

Sources

Security groups accept ingress trafic from:

  • CIDR IP addresses
  • security groups
  • load balancers

Ip Addresses

In the following example allow incoming SSH from a list of IP address ranges.

  security_group.authorize_ingress(:tcp, 22,
    '111.111.111.111/0', '222.222.222.222/0')

Security Groups

To autohrize ingress traffic from all EC2 instance in another security group, just pass the security group:

  web = security_groups.create('webservers')
  db = security_groups.create('database')
  db.authorize_ingress(:tcp, 3306, web)

You can also pass a hash of security group details instead of a {SecurityGroup} object.

  # by security group name
  sg.authorize_ingress(:tcp, 80, { :group_name => 'other-group' })

  # by security group id
  sg.authorize_ingress(:tcp, 80, { :group_id => 'sg-1234567' })

If the security group belongs to a different account, just make sure it has the correct owner ID populated:

  not_my_sg = SecurityGroup.new('sg-1234567', :owner_id => 'abcxyz123')
  my_sg.authorize_ingress(:tcp, 80, not_my_sg)

You can do the same with a hash as well (with either +:group_id+ or +:group_name+):

  sg.authorize_ingress(:tcp, 21..22, { :group_id => 'sg-id', :user_id => 'abcxyz123' })

Load Balancers

If you use ELB to manage load balancers, then you need to add ingress permissions to the security groups they route traffic into. You can do this by passing the {ELB::LoadBalancer} into authorize_ingress:

  load_balancer = AWS::ELB.new.load_balancers['web-load-balancer']

  sg.authorize_ingress(:tcp, 80, load_balancer)

Multiple Sources

You can provide multiple sources each time you call authorize ingress, and you can mix and match the source types:

  sg.authorize_ingress(:tcp, 80, other_sg, '1.2.3.4/0', load_balancer)

@param [String, Symbol] protocol Should be :tcp, :udp or :icmp

  or the string equivalent.

@param [Integer, Range] ports The port (or port range) to allow

  traffic through.  You can pass a single integer (like 80)
  or a range (like 20..21).

@param [Mixed] sources One or more CIDR IP addresses,

  security groups, or load balancers.  Security groups
  can be specified as hashes.

  A security group hash must provide either +:group_id+ or
  +:group_name+ for the security group.  If the security group
  does not belong to you aws account then you must also
  provide +:user_id+ (which can be an AWS account ID or alias).

@return [nil]

Deletes this security group.

If you attempt to delete a security group that contains instances, or attempt to delete a security group that is referenced by another security group, an error is raised. For example, if security group B has a rule that allows access from security group A, security group A cannot be deleted until the rule is removed. @return [nil]

Removes ingress rules for ICMP pings. Defaults to 0.0.0.0/0 for the list of IP ranges to revoke.

@param [String] ip_ranges One or more IP ranges to allow ping from.

  Defaults to 0.0.0.0/0

@return [nil]

@return [SecurityGroup::EgressIpPermissionCollection] Returns a

  collection of {IpPermission} objects that represents all of
  the egress permissions this security group has authorizations for.

@return [Boolean] True if the security group exists.

@return [SecurityGroup::IngressIpPermissionCollection] Returns a

  collection of {IpPermission} objects that represents all of
  the (ingress) permissions this security group has
  authorizations for.
ip_permissions()

Revokes an egress (outound) ip permission. This is the inverse operation to {authorize_egress}. See {authorize_egress} for param and option documentation.

@see authorize_egress

@return [nil]

Revokes an ingress (inbound) ip permission. This is the inverse operation to {authorize_ingress}. See {authorize_ingress} for param and option documentation.

@see authorize_ingress

@return [nil]

@return [VPC,nil] Returns the VPC this security group belongs to,

  or nil if this is not a VPC security group.

Returns true if this security group is a VPC security group and not an EC2 security group. VPC security groups belong to a VPC subnet and can have egress rules. @return [Boolean] Returns true if this is a VPC security group and

  false if this is an EC2 security group.

Protected Instance methods

[Validate]