Name

ec2-authorize

Synopsis

ec2-authorize groupname -P protocol (-p portrange
 | -t icmptypecode) [-u sourceuser ...] [-o sourcegroup ...]
 [-s sourceaddress]

Authorizes network traffic to EC2 instances launched with the specified group name.

You can authorize incoming traffic based on a variety of criteria:

  • Based on the subnet from which the traffic is originating

  • Based on the group membership of the EC2 instance from which the traffic is originating (if originating from an EC2 instance)

  • Based on the protocol (TCP, UDP, ICMP) of the traffic

  • Based on the destination port of the traffic

By default, a group allows no traffic to pass to EC2 instances that belong to it (though members may belong to multiple groups, in which case their membership in other groups may allow it). To get traffic flowing, you must specifically authorize traffic to flow.

Except when you want to enable traffic to flow from one EC2 group to another, you can control traffic down to the protocol and port level. If you allow traffic to flow from one group to another, it’s an all-or-nothing proposition.

Examples

# Grant port 80 access to all traffic regardless of source
$ ec2-authorize mydmz -P tcp -p 80 -s 0.0.0.0/0
GROUP         mydmz
PERMISSION    mydmz    ALLOWS    tcp    80    80    FROM    CIDR    0.0.0.0/0

# Grant access to the app server group from the DMZ group
$ ec2-authorize myapp -u 999999999999 -o mydmz
GROUP         myapp
PERMISSION    myapp    ALLOWS    all    FROM    USER    999999999999 GRPNAME mydmz

# Grant access to a range of ports from a specific IP address
$

Get Cloud Application Architectures now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.

Start your free trial