         | Did this page help you? Yes No Tell us about it... |
AuthorizeSecurityGroupIngress
Description
Adds one or more ingress rules to a security group. This action applies to both EC2 security groups and VPC security groups. For information about VPC security groups and how they differ from EC2 security groups, go to Security Groups in the Amazon Virtual Private Cloud User Guide.
For EC2 security groups, this action gives one or more CIDR IP address ranges permission to access a security group in your account, or gives one or more security groups (called the source groups) permission to access a security group in your account. A source group can be in your own AWS account, or another.
For VPC security groups, this action gives one or more CIDR IP address ranges permission to access a security group in your VPC, or gives one or more other security groups (called the source groups) permission to access a security group in your VPC. The groups must all be in the same VPC.
Each rule consists of the protocol (e.g., TCP), plus either a CIDR range or a source group. For the TCP and UDP protocols, you must also specify the destination port or port range. For the ICMP protocol, you must also specify the ICMP type and code. You can use -1 for the type or code to mean all types or all codes.
Rule changes are propagated to instances within the security group as quickly as possible. However, a small delay might occur.
![[Important]](http://docs.amazonwebservices.com/docs-common/images/important.png) | Important |
|---|---|
For EC2 security groups: You can have up to 100 rules per group. For VPC security groups: You can have up to 50 rules total per group (covering both ingress and egress). |
Request Parameters
| Name | Description | Required |
|---|---|---|
|
|
Deprecated |
No |
|
|
ID of the EC2 or VPC security group to modify. The group must belong to your account. Type: String Default: None Condition: Required for VPC security groups; can be used instead of |
Conditional |
|
|
Name of the EC2 security group to modify. Type: String Default: None Condition: Can be used instead of |
Conditional |
|
|
IP protocol name or number (go to Protocol Numbers). EC2 security groups can have rules only for TCP, UDP, and ICMP, whereas VPC security groups can have rules assigned to any protocol number. When you call Type: String Valid Values for EC2 security groups: Valid Values for VPC groups: |
Required |
|
|
Start of port range for the TCP and UDP protocols, or an ICMP type number. For the ICMP type number, you can use -1 to specify all ICMP types. Type: Integer Default: None Default: Required for ICMP and any protocol that uses ports |
Conditional |
|
|
End of port range for the TCP and UDP protocols, or an ICMP code number. For the ICMP code number, you can use -1 to specify all ICMP codes for the given ICMP type. Type: Integer Default: None Default: Required for ICMP and any protocol that uses ports |
Conditional |
|
|
AWS account ID that owns the source security group. Cannot be used when specifying a CIDR IP address. Type: String Default: None Condition: For EC2 security groups only. Required if modifying access for one or more source security groups. |
Conditional |
|
|
Name of the source security group. Cannot be used when specifying a CIDR IP address. Type: String Default: None Condition: Required if modifying access for one or more source security groups. |
Conditional |
|
|
ID of the source security group. Cannot be used when specifying a CIDR IP address. Type: String Default: None Condition: For VPC security groups only. Required if modifying access for one or more source security groups. |
Conditional |
|
|
CIDR range. Cannot be used when specifying a source security group. Type: String Default: None Constraints: Valid CIDR IP address range. Condition: Required if modifying access for one or more IP address ranges. |
Conditional |
Response Elements
The elements in the following table are wrapped in an
AuthorizeSecurityGroupIngressResponse structure.
| Name | Description |
|---|---|
|
|
The ID of the request. Type: xsd:string |
|
|
Returns true if request is successful. Otherwise, returns an error. Type: xsd:boolean |
Examples
Example Request
This example is for an EC2 security group. The request grants the 192.0.2.0/24 and 198.51.100.0/24 address ranges access to your websrv security group on TCP port 80.
https://ec2.amazonaws.com/?Action=AuthorizeSecurityGroupIngress &GroupName=websrv &IpPermissions.1.IpProtocol=tcp &IpPermissions.1.FromPort=80 &IpPermissions.1.ToPort=80 &IpPermissions.1.IpRanges.1.CidrIp=192.0.2.0/24 &IpPermissions.1.IpRanges.2.CidrIp=198.51.100.0/24 &AUTHPARAMS
Example Request
This example is for an EC2 security group. The request grants TCP port 80 access from the source group called OtherAccountGroup (in AWS account 999988887777) to your websrv security group.
https://ec2.amazonaws.com/?Action=AuthorizeSecurityGroupIngress &GroupName=websrv &IpPermissions.1.IpProtocol=tcp &IpPermissions.1.FromPort=80 &IpPermissions.1.ToPort=80 &IpPermissions.1.Groups.1.GroupName=OtherAccountGroup &IpPermissions.1.Groups.1.UserId=999988887777 &AUTHPARAMS
Example Request
This example is for a VPC security group. The request grants TCP port 80 access from the source group called OtherGroupInMyVPC (sg-0a5d8e02) to your VpcWebServers security group (sg-140ba4c8). The request requires the group IDs and not the group names. Your AWS account ID is 111122223333.
https://ec2.amazonaws.com/?Action=AuthorizeSecurityGroupIngress &GroupId=sg-140ba4c8 &IpPermissions.1.IpProtocol=tcp &IpPermissions.1.FromPort=80 &IpPermissions.1.ToPort=80 &IpPermissions.1.Groups.1.GroupId=sg-0a5d8e02 &IpPermissions.1.Groups.1.UserId=111122223333 &AUTHPARAMS
Example Response
<AuthorizeSecurityGroupIngressResponse xmlns="http://ec2.amazonaws.com/doc/2011-12-15/"> <requestId>59dbff89-35bd-4eac-99ed-be587EXAMPLE</requestId> <return>true</return> </AuthorizeSecurityGroupIngressResponse>
