AWS Fundamentals Logo
AWS Fundamentals
L1 ConstructAWS::EC2::SecurityGroupIngress

CfnSecurityGroupIngress

Adds an inbound (ingress) rule to a security group. An inbound rule permits instances to receive traffic from the specified IPv4 or IPv6 address range, the IP addresses that are specified by a prefix list, or the instances that are associated with a source security group. For more information, see [Security group rules](https://docs.aws.amazon.com/vpc/latest/userguide/security-group-rules.html) . You must specify exactly one of the following sources: an IPv4 address range, an IPv6 address range, a prefix list, or a security group. You must specify a protocol for each rule (for example, TCP). If the protocol is TCP or UDP, you must also specify a port or port range. If the protocol is ICMP or ICMPv6, you must also specify the ICMP/ICMPv6 type and code. Rule changes are propagated to instances associated with the security group as quickly as possible. However, a small delay might occur.

Import

import { CfnSecurityGroupIngress } from 'aws-cdk-lib/aws-ec2';

Or use the module namespace:

import * as ec2 from 'aws-cdk-lib/aws-ec2';
// ec2.CfnSecurityGroupIngress

Properties

Configuration passed to the constructor as CfnSecurityGroupIngressProps.

ipProtocolRequired
string

The IP protocol name ( `tcp` , `udp` , `icmp` , `icmpv6` ) or number (see [Protocol Numbers](https://docs.aws.amazon.com/http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml) ). Use `-1` to specify all protocols. When authorizing security group rules, specifying `-1` or a protocol number other than `tcp` , `udp` , `icmp` , or `icmpv6` allows traffic on all ports, regardless of any port range you specify. For `tcp` , `udp` , and `icmp` , you must specify a port range. For `icmpv6` , the port range is optional; if you omit the port range, traffic for all types and codes is allowed.

cidrIpOptional
string

The IPv4 address range, in CIDR format. You must specify exactly one of the following: `CidrIp` , `CidrIpv6` , `SourcePrefixListId` , or `SourceSecurityGroupId` . For examples of rules that you can add to security groups for specific access scenarios, see [Security group rules for different use cases](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html) in the *Amazon EC2 User Guide* .

cidrIpv6Optional
string

The IPv6 address range, in CIDR format. You must specify exactly one of the following: `CidrIp` , `CidrIpv6` , `SourcePrefixListId` , or `SourceSecurityGroupId` . For examples of rules that you can add to security groups for specific access scenarios, see [Security group rules for different use cases](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/security-group-rules-reference.html) in the *Amazon EC2 User Guide* .

descriptionOptional
string

Updates the description of an ingress (inbound) security group rule. You can replace an existing description, or add a description to a rule that did not have one previously. Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*

fromPortOptional
number

The start of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 type number. A value of `-1` indicates all ICMP/ICMPv6 types. If you specify all ICMP/ICMPv6 types, you must specify all codes. Use this for ICMP and any protocol that uses ports.

groupIdOptional
string | ISecurityGroupRef

The ID of the security group.

groupNameOptional
string | ISecurityGroupRef

[Default VPC] The name of the security group. For security groups for a default VPC you can specify either the ID or the name of the security group. For security groups for a nondefault VPC, you must specify the ID of the security group.

sourcePrefixListIdOptional
string | IPrefixListRef

The ID of a prefix list.

sourceSecurityGroupIdOptional
string | ISecurityGroupRef

The ID of the security group. You must specify either the security group ID or the security group name. For security groups in a nondefault VPC, you must specify the security group ID.

sourceSecurityGroupNameOptional
string

[Default VPC] The name of the source security group. You must specify either the security group ID or the security group name. You can't specify the group name in combination with an IP address range. Creates rules that grant full ICMP, UDP, and TCP access. For security groups in a nondefault VPC, you must specify the group ID.

sourceSecurityGroupOwnerIdOptional
string

[nondefault VPC] The AWS account ID for the source security group, if the source security group is in a different account. You can't specify this property with an IP address range. Creates rules that grant full ICMP, UDP, and TCP access. If you specify `SourceSecurityGroupName` or `SourceSecurityGroupId` and that security group is owned by a different account than the account creating the stack, you must specify `SourceSecurityGroupOwnerId` ; otherwise, this property is optional.

toPortOptional
number

The end of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 code. A value of `-1` indicates all ICMP/ICMPv6 codes for the specified ICMP type. If you specify all ICMP/ICMPv6 types, you must specify all codes. Use this for ICMP and any protocol that uses ports.

CloudFormation Resource

This L1 construct maps directly to the following CloudFormation resource type.

AWS::EC2::SecurityGroupIngressView in CloudFormation Explorer

Get the Amazon EC2 Cheat Sheet

Everything you need to know about Amazon EC2 on one page. HD quality, print-friendly.

Download Free Infographic

Quick Facts

LevelL1 (CloudFormation)
Moduleaws-ec2
CFN TypeAWS::EC2::SecurityGroupIngress
Properties12

Related Constructs

Explore This Service

External Links