Represents a security group in EC2.
@attr_reader [String] description The short informal description
given when the group was created.
@attr_reader [String] name The name of the security group.
@attr_reader [String] owner_id The security group owner‘s id.
@attr_reader [String,nil] vpc_id If this is a VPC security group,
vpc_id is the ID of the VPC this group was created in. Returns false otherwise.
IpPermissionCollection | = | IngressIpPermissionCollection | alias for ingress permissions |
security_group_id | -> | group_id |
security_group_id | -> | id |
security_group_id | [R] | @return [String] |
Adds ingress rules for ICMP pings. Defaults to 0.0.0.0/0 for the list of allowed IP ranges the ping can come from.
security_group.allow_ping # anyone can ping servers in this group # only allow ping from a particular address security_group.allow_ping('123.123.123.123/0')
@param [String] ip_ranges One or more IP ranges to allow ping from.
Defaults to 0.0.0.0/0
@return [nil]
Authorize egress (outbound) traffic for a VPC security group.
# allow traffic for all protocols/ports from the given sources security_group.authorize_egress('10.0.0.0/16', '10.0.0.1/16') # allow tcp traffic outband via port 80 security_group.authorize_egress('10.0.0.0/16', :protocol => :tcp, :ports => 80..80)
@note Calling this method on a non-VPC security group raises an error.
@overload authorize_egress(*sources, options = {})
@param [Mixed] sources One or more CIDR IP addresses, security groups or load balancers. See {#authorize_ingress} for more information on accepted formats for sources. @param [Hash] options @option options [Symbol] :protocol (:any) The protocol name or number to authorize egress traffic for. For a complete list of protocols see: {http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml} @option options [Range<Integer>,Integer] :ports (nil) An optional port or range of ports. This option is required depending on the protocol.
@return [nil]
Add an ingress rules to this security group. Ingress rules permit inbound traffic over a given protocol for a given port range from one or more souce ip addresses.
This example grants the whole internet (0.0.0.0/0) access to port 80 over TCP (HTTP web traffic).
security_group.authorize_ingress(:tcp, 80)
You can specify port ranges as well:
# ftp security_group.authorize_ingress(:tcp, 20..21)
Security groups accept ingress trafic from:
In the following example allow incoming SSH from a list of IP address ranges.
security_group.authorize_ingress(:tcp, 22, '111.111.111.111/0', '222.222.222.222/0')
To autohrize ingress traffic from all EC2 instance in another security group, just pass the security group:
web = security_groups.create('webservers') db = security_groups.create('database') db.authorize_ingress(:tcp, 3306, web)
You can also pass a hash of security group details instead of a {SecurityGroup} object.
# by security group name sg.authorize_ingress(:tcp, 80, { :group_name => 'other-group' }) # by security group id sg.authorize_ingress(:tcp, 80, { :group_id => 'sg-1234567' })
If the security group belongs to a different account, just make sure it has the correct owner ID populated:
not_my_sg = SecurityGroup.new('sg-1234567', :owner_id => 'abcxyz123') my_sg.authorize_ingress(:tcp, 80, not_my_sg)
You can do the same with a hash as well (with either +:group_id+ or +:group_name+):
sg.authorize_ingress(:tcp, 21..22, { :group_id => 'sg-id', :user_id => 'abcxyz123' })
If you use ELB to manage load balancers, then you need to add ingress permissions to the security groups they route traffic into. You can do this by passing the {ELB::LoadBalancer} into authorize_ingress:
load_balancer = AWS::ELB.new.load_balancers['web-load-balancer'] sg.authorize_ingress(:tcp, 80, load_balancer)
You can provide multiple sources each time you call authorize ingress, and you can mix and match the source types:
sg.authorize_ingress(:tcp, 80, other_sg, '1.2.3.4/0', load_balancer)
@param [String, Symbol] protocol Should be :tcp, :udp or :icmp
or the string equivalent.
@param [Integer, Range] ports The port (or port range) to allow
traffic through. You can pass a single integer (like 80) or a range (like 20..21).
@param [Mixed] sources One or more CIDR IP addresses,
security groups, or load balancers. Security groups can be specified as hashes. A security group hash must provide either +:group_id+ or +:group_name+ for the security group. If the security group does not belong to you aws account then you must also provide +:user_id+ (which can be an AWS account ID or alias).
@return [nil]
Deletes this security group.
If you attempt to delete a security group that contains instances, or attempt to delete a security group that is referenced by another security group, an error is raised. For example, if security group B has a rule that allows access from security group A, security group A cannot be deleted until the rule is removed. @return [nil]
Removes ingress rules for ICMP pings. Defaults to 0.0.0.0/0 for the list of IP ranges to revoke.
@param [String] ip_ranges One or more IP ranges to allow ping from.
Defaults to 0.0.0.0/0
@return [nil]
@return [SecurityGroup::EgressIpPermissionCollection] Returns a
collection of {IpPermission} objects that represents all of the egress permissions this security group has authorizations for.
@return [SecurityGroup::IngressIpPermissionCollection] Returns a
collection of {IpPermission} objects that represents all of the (ingress) permissions this security group has authorizations for.
Revokes an egress (outound) ip permission. This is the inverse operation to {authorize_egress}. See {authorize_egress} for param and option documentation.
@see authorize_egress
@return [nil]
Revokes an ingress (inbound) ip permission. This is the inverse operation to {authorize_ingress}. See {authorize_ingress} for param and option documentation.
@see authorize_ingress
@return [nil]