Class SecurityGroup
Creates an Amazon EC2 security group within a VPC.
Inherited Members
Namespace: Amazon.CDK.AWS.EC2
Assembly: Amazon.CDK.Lib.dll
Syntax (csharp)
public class SecurityGroup : Resource, ISecurityGroup, IResource, IConstruct, IDependable, IPeer, IConnectableSyntax (vb)
Public Class SecurityGroup Inherits Resource Implements ISecurityGroup, IResource, IConstruct, IDependable, IPeer, IConnectableRemarks
Security Groups act like a firewall with a set of rules, and are associated with any AWS resource that has or creates Elastic Network Interfaces (ENIs). A typical example of a resource that has a security group is an Instance (or Auto Scaling Group of instances)
If you are defining new infrastructure in CDK, there is a good chance you won't have to interact with this class at all. Like IAM Roles, Security Groups need to exist to control access between AWS resources, but CDK will automatically generate and populate them with least-privilege permissions for you so you can concentrate on your business logic.
All Constructs that require Security Groups will create one for you if you
don't specify one at construction. After construction, you can selectively
allow connections to and between constructs via--for example-- the instance.connections
object. Think of it as "allowing connections to your instance", rather than
"adding ingress rules a security group". See the Allowing
Connections
section in the library documentation for examples.
Direct manipulation of the Security Group through addIngressRule and
addEgressRule is possible, but mutation through the .connections object
is recommended. If you peer two constructs with security groups this way,
appropriate rules will be created in both.
If you have an existing security group you want to use in your CDK application, you would import it like this:
var securityGroup = SecurityGroup.FromSecurityGroupId(this, "SG", "sg-12345", new SecurityGroupImportOptions {
Mutable = false
});ExampleMetadata: infused
Examples
var vpc = new Vpc(this, "Vpc", new VpcProps { MaxAzs = 1 });
var cluster = new Cluster(this, "EcsCluster", new ClusterProps { Vpc = vpc });
var securityGroup = new SecurityGroup(this, "SG", new SecurityGroupProps { Vpc = vpc });
var scheduledFargateTask = new ScheduledFargateTask(this, "ScheduledFargateTask", new ScheduledFargateTaskProps {
Cluster = cluster,
ScheduledFargateTaskImageOptions = new ScheduledFargateTaskImageOptions {
Image = ContainerImage.FromRegistry("amazon/amazon-ecs-sample"),
MemoryLimitMiB = 512
},
Schedule = Schedule.Expression("rate(1 minute)"),
SecurityGroups = new [] { securityGroup }
});Synopsis
Constructors
| SecurityGroup(Construct, string, ISecurityGroupProps) | Creates an Amazon EC2 security group within a VPC. |
Properties
| AllowAllIpv6Outbound | Whether the SecurityGroup has been configured to allow all outbound ipv6 traffic. |
| AllowAllOutbound | Whether the SecurityGroup has been configured to allow all outbound traffic. |
| CanInlineRule | Whether the rule can be inlined into a SecurityGroup or not. |
| Connections | The network connections associated with this resource. |
| DefaultPort | Creates an Amazon EC2 security group within a VPC. |
| PROPERTY_INJECTION_ID | Uniquely identifies this class. |
| SecurityGroupId | The ID of the security group. |
| SecurityGroupVpcId | The VPC ID this security group is part of. |
| UniqueId | A unique identifier for this connection peer. |
Methods
| AddEgressRule(IPeer, Port, string?, bool?) | Add an egress rule for the current security group. |
| AddIngressRule(IPeer, Port, string?, bool?) | Add an ingress rule for the current security group. |
| DetermineRuleScope(IPeer, Port, string, bool?) | Determine where to parent a new ingress/egress rule. |
| FromLookupById(Construct, string, string) | Look up a security group by id. |
| FromLookupByName(Construct, string, string, IVpc) | Look up a security group by name. |
| FromSecurityGroupId(Construct, string, string, ISecurityGroupImportOptions?) | Import an existing security group into this app. |
| IsSecurityGroup(object) | Return whether the indicated object is a security group. |
| ToEgressRuleConfig() | Produce the egress rule JSON for the given connection. |
| ToIngressRuleConfig() | Produce the ingress rule JSON for the given connection. |
Constructors
SecurityGroup(Construct, string, ISecurityGroupProps)
Creates an Amazon EC2 security group within a VPC.
public SecurityGroup(Construct scope, string id, ISecurityGroupProps props)Parameters
- scope Construct
- id string
- props ISecurityGroupProps
Remarks
Security Groups act like a firewall with a set of rules, and are associated with any AWS resource that has or creates Elastic Network Interfaces (ENIs). A typical example of a resource that has a security group is an Instance (or Auto Scaling Group of instances)
If you are defining new infrastructure in CDK, there is a good chance you won't have to interact with this class at all. Like IAM Roles, Security Groups need to exist to control access between AWS resources, but CDK will automatically generate and populate them with least-privilege permissions for you so you can concentrate on your business logic.
All Constructs that require Security Groups will create one for you if you
don't specify one at construction. After construction, you can selectively
allow connections to and between constructs via--for example-- the instance.connections
object. Think of it as "allowing connections to your instance", rather than
"adding ingress rules a security group". See the Allowing
Connections
section in the library documentation for examples.
Direct manipulation of the Security Group through addIngressRule and
addEgressRule is possible, but mutation through the .connections object
is recommended. If you peer two constructs with security groups this way,
appropriate rules will be created in both.
If you have an existing security group you want to use in your CDK application, you would import it like this:
var securityGroup = SecurityGroup.FromSecurityGroupId(this, "SG", "sg-12345", new SecurityGroupImportOptions {
Mutable = false
});ExampleMetadata: infused
Examples
var vpc = new Vpc(this, "Vpc", new VpcProps { MaxAzs = 1 });
var cluster = new Cluster(this, "EcsCluster", new ClusterProps { Vpc = vpc });
var securityGroup = new SecurityGroup(this, "SG", new SecurityGroupProps { Vpc = vpc });
var scheduledFargateTask = new ScheduledFargateTask(this, "ScheduledFargateTask", new ScheduledFargateTaskProps {
Cluster = cluster,
ScheduledFargateTaskImageOptions = new ScheduledFargateTaskImageOptions {
Image = ContainerImage.FromRegistry("amazon/amazon-ecs-sample"),
MemoryLimitMiB = 512
},
Schedule = Schedule.Expression("rate(1 minute)"),
SecurityGroups = new [] { securityGroup }
});Properties
AllowAllIpv6Outbound
Whether the SecurityGroup has been configured to allow all outbound ipv6 traffic.
public virtual bool AllowAllIpv6Outbound { get; }Property Value
Remarks
Security Groups act like a firewall with a set of rules, and are associated with any AWS resource that has or creates Elastic Network Interfaces (ENIs). A typical example of a resource that has a security group is an Instance (or Auto Scaling Group of instances)
If you are defining new infrastructure in CDK, there is a good chance you won't have to interact with this class at all. Like IAM Roles, Security Groups need to exist to control access between AWS resources, but CDK will automatically generate and populate them with least-privilege permissions for you so you can concentrate on your business logic.
All Constructs that require Security Groups will create one for you if you
don't specify one at construction. After construction, you can selectively
allow connections to and between constructs via--for example-- the instance.connections
object. Think of it as "allowing connections to your instance", rather than
"adding ingress rules a security group". See the Allowing
Connections
section in the library documentation for examples.
Direct manipulation of the Security Group through addIngressRule and
addEgressRule is possible, but mutation through the .connections object
is recommended. If you peer two constructs with security groups this way,
appropriate rules will be created in both.
If you have an existing security group you want to use in your CDK application, you would import it like this:
var securityGroup = SecurityGroup.FromSecurityGroupId(this, "SG", "sg-12345", new SecurityGroupImportOptions {
Mutable = false
});ExampleMetadata: infused
AllowAllOutbound
Whether the SecurityGroup has been configured to allow all outbound traffic.
public virtual bool AllowAllOutbound { get; }Property Value
Remarks
Security Groups act like a firewall with a set of rules, and are associated with any AWS resource that has or creates Elastic Network Interfaces (ENIs). A typical example of a resource that has a security group is an Instance (or Auto Scaling Group of instances)
If you are defining new infrastructure in CDK, there is a good chance you won't have to interact with this class at all. Like IAM Roles, Security Groups need to exist to control access between AWS resources, but CDK will automatically generate and populate them with least-privilege permissions for you so you can concentrate on your business logic.
All Constructs that require Security Groups will create one for you if you
don't specify one at construction. After construction, you can selectively
allow connections to and between constructs via--for example-- the instance.connections
object. Think of it as "allowing connections to your instance", rather than
"adding ingress rules a security group". See the Allowing
Connections
section in the library documentation for examples.
Direct manipulation of the Security Group through addIngressRule and
addEgressRule is possible, but mutation through the .connections object
is recommended. If you peer two constructs with security groups this way,
appropriate rules will be created in both.
If you have an existing security group you want to use in your CDK application, you would import it like this:
var securityGroup = SecurityGroup.FromSecurityGroupId(this, "SG", "sg-12345", new SecurityGroupImportOptions {
Mutable = false
});ExampleMetadata: infused
CanInlineRule
Whether the rule can be inlined into a SecurityGroup or not.
public virtual bool CanInlineRule { get; }Property Value
Remarks
Security Groups act like a firewall with a set of rules, and are associated with any AWS resource that has or creates Elastic Network Interfaces (ENIs). A typical example of a resource that has a security group is an Instance (or Auto Scaling Group of instances)
If you are defining new infrastructure in CDK, there is a good chance you won't have to interact with this class at all. Like IAM Roles, Security Groups need to exist to control access between AWS resources, but CDK will automatically generate and populate them with least-privilege permissions for you so you can concentrate on your business logic.
All Constructs that require Security Groups will create one for you if you
don't specify one at construction. After construction, you can selectively
allow connections to and between constructs via--for example-- the instance.connections
object. Think of it as "allowing connections to your instance", rather than
"adding ingress rules a security group". See the Allowing
Connections
section in the library documentation for examples.
Direct manipulation of the Security Group through addIngressRule and
addEgressRule is possible, but mutation through the .connections object
is recommended. If you peer two constructs with security groups this way,
appropriate rules will be created in both.
If you have an existing security group you want to use in your CDK application, you would import it like this:
var securityGroup = SecurityGroup.FromSecurityGroupId(this, "SG", "sg-12345", new SecurityGroupImportOptions {
Mutable = false
});ExampleMetadata: infused
Connections
The network connections associated with this resource.
public virtual Connections_ Connections { get; }Property Value
Remarks
Security Groups act like a firewall with a set of rules, and are associated with any AWS resource that has or creates Elastic Network Interfaces (ENIs). A typical example of a resource that has a security group is an Instance (or Auto Scaling Group of instances)
If you are defining new infrastructure in CDK, there is a good chance you won't have to interact with this class at all. Like IAM Roles, Security Groups need to exist to control access between AWS resources, but CDK will automatically generate and populate them with least-privilege permissions for you so you can concentrate on your business logic.
All Constructs that require Security Groups will create one for you if you
don't specify one at construction. After construction, you can selectively
allow connections to and between constructs via--for example-- the instance.connections
object. Think of it as "allowing connections to your instance", rather than
"adding ingress rules a security group". See the Allowing
Connections
section in the library documentation for examples.
Direct manipulation of the Security Group through addIngressRule and
addEgressRule is possible, but mutation through the .connections object
is recommended. If you peer two constructs with security groups this way,
appropriate rules will be created in both.
If you have an existing security group you want to use in your CDK application, you would import it like this:
var securityGroup = SecurityGroup.FromSecurityGroupId(this, "SG", "sg-12345", new SecurityGroupImportOptions {
Mutable = false
});ExampleMetadata: infused
DefaultPort
Creates an Amazon EC2 security group within a VPC.
public virtual Port? DefaultPort { get; }Property Value
Remarks
Security Groups act like a firewall with a set of rules, and are associated with any AWS resource that has or creates Elastic Network Interfaces (ENIs). A typical example of a resource that has a security group is an Instance (or Auto Scaling Group of instances)
If you are defining new infrastructure in CDK, there is a good chance you won't have to interact with this class at all. Like IAM Roles, Security Groups need to exist to control access between AWS resources, but CDK will automatically generate and populate them with least-privilege permissions for you so you can concentrate on your business logic.
All Constructs that require Security Groups will create one for you if you
don't specify one at construction. After construction, you can selectively
allow connections to and between constructs via--for example-- the instance.connections
object. Think of it as "allowing connections to your instance", rather than
"adding ingress rules a security group". See the Allowing
Connections
section in the library documentation for examples.
Direct manipulation of the Security Group through addIngressRule and
addEgressRule is possible, but mutation through the .connections object
is recommended. If you peer two constructs with security groups this way,
appropriate rules will be created in both.
If you have an existing security group you want to use in your CDK application, you would import it like this:
var securityGroup = SecurityGroup.FromSecurityGroupId(this, "SG", "sg-12345", new SecurityGroupImportOptions {
Mutable = false
});ExampleMetadata: infused
Examples
var vpc = new Vpc(this, "Vpc", new VpcProps { MaxAzs = 1 });
var cluster = new Cluster(this, "EcsCluster", new ClusterProps { Vpc = vpc });
var securityGroup = new SecurityGroup(this, "SG", new SecurityGroupProps { Vpc = vpc });
var scheduledFargateTask = new ScheduledFargateTask(this, "ScheduledFargateTask", new ScheduledFargateTaskProps {
Cluster = cluster,
ScheduledFargateTaskImageOptions = new ScheduledFargateTaskImageOptions {
Image = ContainerImage.FromRegistry("amazon/amazon-ecs-sample"),
MemoryLimitMiB = 512
},
Schedule = Schedule.Expression("rate(1 minute)"),
SecurityGroups = new [] { securityGroup }
});PROPERTY_INJECTION_ID
Uniquely identifies this class.
public static string PROPERTY_INJECTION_ID { get; }Property Value
Remarks
Security Groups act like a firewall with a set of rules, and are associated with any AWS resource that has or creates Elastic Network Interfaces (ENIs). A typical example of a resource that has a security group is an Instance (or Auto Scaling Group of instances)
If you are defining new infrastructure in CDK, there is a good chance you won't have to interact with this class at all. Like IAM Roles, Security Groups need to exist to control access between AWS resources, but CDK will automatically generate and populate them with least-privilege permissions for you so you can concentrate on your business logic.
All Constructs that require Security Groups will create one for you if you
don't specify one at construction. After construction, you can selectively
allow connections to and between constructs via--for example-- the instance.connections
object. Think of it as "allowing connections to your instance", rather than
"adding ingress rules a security group". See the Allowing
Connections
section in the library documentation for examples.
Direct manipulation of the Security Group through addIngressRule and
addEgressRule is possible, but mutation through the .connections object
is recommended. If you peer two constructs with security groups this way,
appropriate rules will be created in both.
If you have an existing security group you want to use in your CDK application, you would import it like this:
var securityGroup = SecurityGroup.FromSecurityGroupId(this, "SG", "sg-12345", new SecurityGroupImportOptions {
Mutable = false
});ExampleMetadata: infused
SecurityGroupId
The ID of the security group.
public virtual string SecurityGroupId { get; }Property Value
Remarks
Attribute: true
SecurityGroupVpcId
The VPC ID this security group is part of.
public virtual string SecurityGroupVpcId { get; }Property Value
Remarks
Attribute: true
UniqueId
A unique identifier for this connection peer.
public virtual string UniqueId { get; }Property Value
Remarks
Security Groups act like a firewall with a set of rules, and are associated with any AWS resource that has or creates Elastic Network Interfaces (ENIs). A typical example of a resource that has a security group is an Instance (or Auto Scaling Group of instances)
If you are defining new infrastructure in CDK, there is a good chance you won't have to interact with this class at all. Like IAM Roles, Security Groups need to exist to control access between AWS resources, but CDK will automatically generate and populate them with least-privilege permissions for you so you can concentrate on your business logic.
All Constructs that require Security Groups will create one for you if you
don't specify one at construction. After construction, you can selectively
allow connections to and between constructs via--for example-- the instance.connections
object. Think of it as "allowing connections to your instance", rather than
"adding ingress rules a security group". See the Allowing
Connections
section in the library documentation for examples.
Direct manipulation of the Security Group through addIngressRule and
addEgressRule is possible, but mutation through the .connections object
is recommended. If you peer two constructs with security groups this way,
appropriate rules will be created in both.
If you have an existing security group you want to use in your CDK application, you would import it like this:
var securityGroup = SecurityGroup.FromSecurityGroupId(this, "SG", "sg-12345", new SecurityGroupImportOptions {
Mutable = false
});ExampleMetadata: infused
Methods
AddEgressRule(IPeer, Port, string?, bool?)
Add an egress rule for the current security group.
public virtual void AddEgressRule(IPeer peer, Port connection, string? description = null, bool? remoteRule = null)Parameters
Remarks
remoteRule controls where the Rule object is created if the peer is also a
securityGroup and they are in different stack. If false (default) the
rule object is created under the current SecurityGroup object. If true and the
peer is also a SecurityGroup, the rule object is created under the remote
SecurityGroup object.
AddIngressRule(IPeer, Port, string?, bool?)
Add an ingress rule for the current security group.
public virtual void AddIngressRule(IPeer peer, Port connection, string? description = null, bool? remoteRule = null)Parameters
Remarks
remoteRule controls where the Rule object is created if the peer is also a
securityGroup and they are in different stack. If false (default) the
rule object is created under the current SecurityGroup object. If true and the
peer is also a SecurityGroup, the rule object is created under the remote
SecurityGroup object.
DetermineRuleScope(IPeer, Port, string, bool?)
Determine where to parent a new ingress/egress rule.
protected virtual IRuleScope DetermineRuleScope(IPeer peer, Port connection, string fromTo, bool? remoteRule = null)Parameters
Returns
Remarks
A SecurityGroup rule is parented under the group it's related to, UNLESS we're in a cross-stack scenario with another Security Group. In that case, we respect the 'remoteRule' flag and will parent under the other security group.
This is necessary to avoid cyclic dependencies between stacks, since both ingress and egress rules will reference both security groups, and a naive parenting will lead to the following situation:
╔════════════════════╗ ╔════════════════════╗ ║ ┌───────────┐ ║ ║ ┌───────────┐ ║ ║ │ GroupA │◀────╬─┐ ┌───╬───▶│ GroupB │ ║ ║ └───────────┘ ║ │ │ ║ └───────────┘ ║ ║ ▲ ║ │ │ ║ ▲ ║ ║ │ ║ │ │ ║ │ ║ ║ │ ║ │ │ ║ │ ║ ║ ┌───────────┐ ║ └───┼───╬────┌───────────┐ ║ ║ │ EgressA │─────╬─────┘ ║ │ IngressB │ ║ ║ └───────────┘ ║ ║ └───────────┘ ║ ║ ║ ║ ║ ╚════════════════════╝ ╚════════════════════╝
By having the ability to switch the parent, we avoid the cyclic reference by keeping all rules in a single stack.
If this happens, we also have to change the construct ID, because otherwise we might have two objects with the same ID if we have multiple reversed security group relationships.
╔═══════════════════════════════════╗ ║┌───────────┐ ║ ║│ GroupB │ ║ ║└───────────┘ ║ ║ ▲ ║ ║ │ ┌───────────┐ ║ ║ ├────"from A"──│ IngressB │ ║ ║ │ └───────────┘ ║ ║ │ ┌───────────┐ ║ ║ ├─────"to B"───│ EgressA │ ║ ║ │ └───────────┘ ║ ║ │ ┌───────────┐ ║ ║ └─────"to B"───│ EgressC │ ║ <-- oops ║ └───────────┘ ║ ╚═══════════════════════════════════╝
FromLookupById(Construct, string, string)
Look up a security group by id.
public static ISecurityGroup FromLookupById(Construct scope, string id, string securityGroupId)Parameters
Returns
Remarks
Security Groups act like a firewall with a set of rules, and are associated with any AWS resource that has or creates Elastic Network Interfaces (ENIs). A typical example of a resource that has a security group is an Instance (or Auto Scaling Group of instances)
If you are defining new infrastructure in CDK, there is a good chance you won't have to interact with this class at all. Like IAM Roles, Security Groups need to exist to control access between AWS resources, but CDK will automatically generate and populate them with least-privilege permissions for you so you can concentrate on your business logic.
All Constructs that require Security Groups will create one for you if you
don't specify one at construction. After construction, you can selectively
allow connections to and between constructs via--for example-- the instance.connections
object. Think of it as "allowing connections to your instance", rather than
"adding ingress rules a security group". See the Allowing
Connections
section in the library documentation for examples.
Direct manipulation of the Security Group through addIngressRule and
addEgressRule is possible, but mutation through the .connections object
is recommended. If you peer two constructs with security groups this way,
appropriate rules will be created in both.
If you have an existing security group you want to use in your CDK application, you would import it like this:
var securityGroup = SecurityGroup.FromSecurityGroupId(this, "SG", "sg-12345", new SecurityGroupImportOptions {
Mutable = false
});ExampleMetadata: infused
FromLookupByName(Construct, string, string, IVpc)
Look up a security group by name.
public static ISecurityGroup FromLookupByName(Construct scope, string id, string securityGroupName, IVpc vpc)Parameters
Returns
Remarks
Security Groups act like a firewall with a set of rules, and are associated with any AWS resource that has or creates Elastic Network Interfaces (ENIs). A typical example of a resource that has a security group is an Instance (or Auto Scaling Group of instances)
If you are defining new infrastructure in CDK, there is a good chance you won't have to interact with this class at all. Like IAM Roles, Security Groups need to exist to control access between AWS resources, but CDK will automatically generate and populate them with least-privilege permissions for you so you can concentrate on your business logic.
All Constructs that require Security Groups will create one for you if you
don't specify one at construction. After construction, you can selectively
allow connections to and between constructs via--for example-- the instance.connections
object. Think of it as "allowing connections to your instance", rather than
"adding ingress rules a security group". See the Allowing
Connections
section in the library documentation for examples.
Direct manipulation of the Security Group through addIngressRule and
addEgressRule is possible, but mutation through the .connections object
is recommended. If you peer two constructs with security groups this way,
appropriate rules will be created in both.
If you have an existing security group you want to use in your CDK application, you would import it like this:
var securityGroup = SecurityGroup.FromSecurityGroupId(this, "SG", "sg-12345", new SecurityGroupImportOptions {
Mutable = false
});ExampleMetadata: infused
FromSecurityGroupId(Construct, string, string, ISecurityGroupImportOptions?)
Import an existing security group into this app.
public static ISecurityGroup FromSecurityGroupId(Construct scope, string id, string securityGroupId, ISecurityGroupImportOptions? options = null)Parameters
- scope Construct
- id string
- securityGroupId string
- options ISecurityGroupImportOptions
Returns
Remarks
This method will assume that the Security Group has a rule in it which allows all outbound traffic, and so will not add egress rules to the imported Security Group (only ingress rules).
If your existing Security Group needs to have egress rules added, pass the
allowAllOutbound: false option on import.
IsSecurityGroup(object)
Return whether the indicated object is a security group.
public static bool IsSecurityGroup(object x)Parameters
- x object
Returns
Remarks
Security Groups act like a firewall with a set of rules, and are associated with any AWS resource that has or creates Elastic Network Interfaces (ENIs). A typical example of a resource that has a security group is an Instance (or Auto Scaling Group of instances)
If you are defining new infrastructure in CDK, there is a good chance you won't have to interact with this class at all. Like IAM Roles, Security Groups need to exist to control access between AWS resources, but CDK will automatically generate and populate them with least-privilege permissions for you so you can concentrate on your business logic.
All Constructs that require Security Groups will create one for you if you
don't specify one at construction. After construction, you can selectively
allow connections to and between constructs via--for example-- the instance.connections
object. Think of it as "allowing connections to your instance", rather than
"adding ingress rules a security group". See the Allowing
Connections
section in the library documentation for examples.
Direct manipulation of the Security Group through addIngressRule and
addEgressRule is possible, but mutation through the .connections object
is recommended. If you peer two constructs with security groups this way,
appropriate rules will be created in both.
If you have an existing security group you want to use in your CDK application, you would import it like this:
var securityGroup = SecurityGroup.FromSecurityGroupId(this, "SG", "sg-12345", new SecurityGroupImportOptions {
Mutable = false
});ExampleMetadata: infused
ToEgressRuleConfig()
Produce the egress rule JSON for the given connection.
public virtual object ToEgressRuleConfig()Returns
Remarks
Security Groups act like a firewall with a set of rules, and are associated with any AWS resource that has or creates Elastic Network Interfaces (ENIs). A typical example of a resource that has a security group is an Instance (or Auto Scaling Group of instances)
If you are defining new infrastructure in CDK, there is a good chance you won't have to interact with this class at all. Like IAM Roles, Security Groups need to exist to control access between AWS resources, but CDK will automatically generate and populate them with least-privilege permissions for you so you can concentrate on your business logic.
All Constructs that require Security Groups will create one for you if you
don't specify one at construction. After construction, you can selectively
allow connections to and between constructs via--for example-- the instance.connections
object. Think of it as "allowing connections to your instance", rather than
"adding ingress rules a security group". See the Allowing
Connections
section in the library documentation for examples.
Direct manipulation of the Security Group through addIngressRule and
addEgressRule is possible, but mutation through the .connections object
is recommended. If you peer two constructs with security groups this way,
appropriate rules will be created in both.
If you have an existing security group you want to use in your CDK application, you would import it like this:
var securityGroup = SecurityGroup.FromSecurityGroupId(this, "SG", "sg-12345", new SecurityGroupImportOptions {
Mutable = false
});ExampleMetadata: infused
ToIngressRuleConfig()
Produce the ingress rule JSON for the given connection.
public virtual object ToIngressRuleConfig()Returns
Remarks
Security Groups act like a firewall with a set of rules, and are associated with any AWS resource that has or creates Elastic Network Interfaces (ENIs). A typical example of a resource that has a security group is an Instance (or Auto Scaling Group of instances)
If you are defining new infrastructure in CDK, there is a good chance you won't have to interact with this class at all. Like IAM Roles, Security Groups need to exist to control access between AWS resources, but CDK will automatically generate and populate them with least-privilege permissions for you so you can concentrate on your business logic.
All Constructs that require Security Groups will create one for you if you
don't specify one at construction. After construction, you can selectively
allow connections to and between constructs via--for example-- the instance.connections
object. Think of it as "allowing connections to your instance", rather than
"adding ingress rules a security group". See the Allowing
Connections
section in the library documentation for examples.
Direct manipulation of the Security Group through addIngressRule and
addEgressRule is possible, but mutation through the .connections object
is recommended. If you peer two constructs with security groups this way,
appropriate rules will be created in both.
If you have an existing security group you want to use in your CDK application, you would import it like this:
var securityGroup = SecurityGroup.FromSecurityGroupId(this, "SG", "sg-12345", new SecurityGroupImportOptions {
Mutable = false
});ExampleMetadata: infused