How-To‎ > ‎

Security Groups

More information on Amazon Security Groups is available online at http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/using-network-security.html.

Launching an instance in one or more Security Groups
:


The following script is an example of how to launch a virtual machine instance in one or more Security Groups on Clemson's OneCloud.

NOTE: Currently, Security Groups and Elastic IPs CANNOT be used together on the same instance! We are working to add this functionality.

#!/usr/bin/env python
import boto
from boto.ec2.connection import EC2Connection
from boto.ec2.regioninfo import RegionInfo

# Interface variables
host="chimney.cs.clemson.edu"
ec2Port=8443

# Cloud credentials
access_id="<your access id goes here>"
access_secret="<your secret key goes here>"

# Define a region for EC2 Connection
ec2Region = RegionInfo(name="opennebula", endpoint=host)

# Create EC2 Connection
ec2Conn=boto.connect_ec2(aws_access_key_id = access_id, aws_secret_access_key = access_secret, region=ec2Region, port=ec2Port, is_secure=True)
# Get list of images available
myimages = conn.get_all_images()

#This will return a list of images available
#Pick yours or one that is public
#Below we pick the first image in the list
image = myimages[0]

print "Starting image", image

# Launch instance in 2 Security Groups
# NOTE: security_groups must be a LIST of Security Group NAMES or IDs (i.e. "sg-000003")
reservation = image.run(instance_type='m1.small', security_groups=["sshGroup","pingGroup"])

instance = reservation.instances[0]

print instance.state

while instance.state != 'running': 
   sleep(5)
   instance.update()
   print instance.state


#At this point the VM should be started and network access will be restricted by the rules in the two groups: sshGroup and pingGroup

Creating/Deleting a Security Group:


The following script is an example of how create or delete a Security Group.

#!/usr/bin/env python
import boto
from boto.ec2.connection import EC2Connection
from boto.ec2.regioninfo import RegionInfo

# Interface variables
host="chimney.cs.clemson.edu"
ec2Port=8443

# Cloud credentials
access_id="<your access id goes here>"
access_secret="<your secret key goes here>"

# Define a region for EC2 Connection
ec2Region = RegionInfo(name="opennebula", endpoint=host)

# Create EC2 Connection
ec2Conn=boto.connect_ec2(aws_access_key_id = access_id, aws_secret_access_key = access_secret, region=ec2Region, port=ec2Port, is_secure=True)


# Create a security group named 'mygroup' with a brief description
group = ec2Conn.create_security_group(name="mygroup",description="My First Security Group")

# Print out properties of your group
print group.name
print group.groupId
print group.description
print group.rules

# There are 2 methods for deleting a security group
# Method 1: Using the handle for your group instance
group.delete()

# Method 2: Using the handle for the EC2 Connection
ec2Conn.delete_security_group(name="mygroup")


Adding/Deleting Rules for Security Groups:


The following script is demonstrates how to add or remote rules from a Security Group.

NOTE: Currently, you CANNOT specify another Security Group as the source of traffic for a rule. OneCloud does not support this feature.

#!/usr/bin/env python
import boto
from boto.ec2.connection import EC2Connection
from boto.ec2.regioninfo import RegionInfo

# Interface variables
host="chimney.cs.clemson.edu"
ec2Port=8443

# Cloud credentials
access_id="<your access id goes here>"
access_secret="<your secret key goes here>"

# Define a region for EC2 Connection
ec2Region = RegionInfo(name="opennebula", endpoint=host)

# Create EC2 Connection
ec2Conn=boto.connect_ec2(aws_access_key_id = access_id, aws_secret_access_key = access_secret, region=ec2Region, port=ec2Port, is_secure=True)

# Get list of security groups available
groups = ec2Conn.get_all_security_groups()

#This will return a list of security group available
# Pick a group from the list. We choose the first one in this example
group = groups[0]

# ADDING RULES
# There are 2 methods for adding rules

# METHOD 1: Using the handle to the group and the authorize() method
# group.authorize(ip_protocol=None, from_port=None, to_port=None, cidr_ip=None, src_group=None)

# Add a rule that allows incoming traffic on TCP port 22 from ALL IP ADDRESSES
group.authorize(ip_protocol="tcp", from_port=22, to_port=22, cidr_ip="0.0.0.0")

# Add a rule that allows incoming traffic on TCP ports 80,81,82 from IP addresses in 10.10.x.x range
group.authorize(ip_protocol="tcp", from_port=80, to_port=82, cidr_ip="10.10.0.0/16")

# Add a rule that allows incoming ICMP ECHO REQUEST packets from ALL IP ADDRESSES
group.authorize(ip_protocol="icmp", from_port=8, to_port=0, cidr_ip="0.0.0.0")

# Add a rule that allows incoming ICMP ECHO REPLY packets from ALL IP ADDRESSES
group.authorize(ip_protocol="icmp", from_port=0, to_port=0, cidr_ip="0.0.0.0")


# METHOD 2: Using the EC2 Connection Instance
# NOTE: In newer versions of the Boto Library (> v1.9b), the parameters for this method have changed.
# The current parameter list is available in authorize_security_group_deprecated()
ec2Conn.authorize_security_group(group_name="mygroup", ip_protocol="tcp", from_port=22, to_port=22, cidr_ip="0.0.0.0")

# DELETING RULES
# To delete a rule, you MUST specify the EXACT same parameters used to create the rule

# This removes the first rule we created earlier allowing Port 22 from anywhere
group.revoke(ip_protocol="tcp", from_port=22, to_port=22, cidr_ip="0.0.0.0")

# Removes the same rule, but using the EC2 Connection object
ec2Conn.revoke_security_group(group_name="mygroup", ip_protocol="tcp", from_port=22, to_port=22, cidr_ip="0.0.0.0")

Comments