SecurityGroupRule
An AWS Security Group Rule defines a specific inbound or outbound traffic rule for a security group, controlling access to EC2 instances and other AWS resources.
Minimal Example
Section titled “Minimal Example”Create a basic HTTP inbound rule:
import { Vpc, SecurityGroup, SecurityGroupRule } from "alchemy/aws/ec2";
const vpc = await Vpc("main-vpc", { cidrBlock: "10.0.0.0/16"});
const webSg = await SecurityGroup("web-sg", { vpc, groupName: "web-server-sg", description: "Security group for web servers"});
const httpRule = await SecurityGroupRule("web-http-rule", { securityGroup: webSg, type: "ingress", protocol: "tcp", fromPort: 80, toPort: 80, cidrBlocks: ["0.0.0.0/0"], description: "Allow HTTP traffic from anywhere"});HTTPS Rule
Section titled “HTTPS Rule”Allow HTTPS traffic from the internet:
import { SecurityGroup, SecurityGroupRule } from "alchemy/aws/ec2";
const httpsRule = await SecurityGroupRule("web-https-rule", { securityGroup: webSecurityGroup, type: "ingress", protocol: "tcp", fromPort: 443, toPort: 443, cidrBlocks: ["0.0.0.0/0"], description: "Allow HTTPS traffic from anywhere"});SSH Access Rule
Section titled “SSH Access Rule”Allow SSH access from specific IP ranges:
import { SecurityGroup, SecurityGroupRule } from "alchemy/aws/ec2";
const sshRule = await SecurityGroupRule("admin-ssh-rule", { securityGroup: adminSecurityGroup, type: "ingress", protocol: "tcp", fromPort: 22, toPort: 22, cidrBlocks: [ "203.0.113.0/24", // Office network "198.51.100.0/24" // VPN network ], description: "Allow SSH access from office and VPN networks"});Database Access Rules
Section titled “Database Access Rules”Allow database access from application servers:
import { SecurityGroup, SecurityGroupRule } from "alchemy/aws/ec2";
// MySQL/MariaDB access ruleconst mysqlRule = await SecurityGroupRule("db-mysql-rule", { securityGroup: databaseSecurityGroup, type: "ingress", protocol: "tcp", fromPort: 3306, toPort: 3306, sourceSecurityGroups: [appSecurityGroup], description: "Allow MySQL access from application servers"});
// PostgreSQL access ruleconst postgresRule = await SecurityGroupRule("db-postgres-rule", { securityGroup: databaseSecurityGroup, type: "ingress", protocol: "tcp", fromPort: 5432, toPort: 5432, sourceSecurityGroups: [appSecurityGroup], description: "Allow PostgreSQL access from application servers"});
// Redis access ruleconst redisRule = await SecurityGroupRule("cache-redis-rule", { securityGroup: cacheSecurityGroup, type: "ingress", protocol: "tcp", fromPort: 6379, toPort: 6379, sourceSecurityGroups: [appSecurityGroup], description: "Allow Redis access from application servers"});Load Balancer Rules
Section titled “Load Balancer Rules”Security group rules for Application Load Balancer setup:
import { SecurityGroup, SecurityGroupRule } from "alchemy/aws/ec2";
// ALB HTTP ruleconst albHttpRule = await SecurityGroupRule("alb-http-rule", { securityGroup: albSecurityGroup, type: "ingress", protocol: "tcp", fromPort: 80, toPort: 80, cidrBlocks: ["0.0.0.0/0"], description: "Allow HTTP traffic to ALB from internet"});
// ALB HTTPS ruleconst albHttpsRule = await SecurityGroupRule("alb-https-rule", { securityGroup: albSecurityGroup, type: "ingress", protocol: "tcp", fromPort: 443, toPort: 443, cidrBlocks: ["0.0.0.0/0"], description: "Allow HTTPS traffic to ALB from internet"});
// Web servers receiving traffic from ALBconst webFromAlbRule = await SecurityGroupRule("web-from-alb-rule", { securityGroup: webSecurityGroup, type: "ingress", protocol: "tcp", fromPort: 8080, // Application port toPort: 8080, sourceSecurityGroups: [albSecurityGroup], description: "Allow traffic from ALB to web servers"});Egress Rules
Section titled “Egress Rules”Control outbound traffic from instances:
import { SecurityGroup, SecurityGroupRule } from "alchemy/aws/ec2";
// Allow HTTPS outbound for package updatesconst httpsEgressRule = await SecurityGroupRule("web-https-egress", { securityGroup: webSecurityGroup, type: "egress", protocol: "tcp", fromPort: 443, toPort: 443, cidrBlocks: ["0.0.0.0/0"], description: "Allow HTTPS outbound for package updates"});
// Allow HTTP outboundconst httpEgressRule = await SecurityGroupRule("web-http-egress", { securityGroup: webSecurityGroup, type: "egress", protocol: "tcp", fromPort: 80, toPort: 80, cidrBlocks: ["0.0.0.0/0"], description: "Allow HTTP outbound"});
// Allow DNS resolutionconst dnsEgressRule = await SecurityGroupRule("web-dns-egress", { securityGroup: webSecurityGroup, type: "egress", protocol: "udp", fromPort: 53, toPort: 53, cidrBlocks: ["0.0.0.0/0"], description: "Allow DNS resolution"});Port Range Rules
Section titled “Port Range Rules”Allow traffic on a range of ports:
import { SecurityGroup, SecurityGroupRule } from "alchemy/aws/ec2";
// Allow ephemeral ports for return trafficconst ephemeralRule = await SecurityGroupRule("ephemeral-ports-rule", { securityGroup: natSecurityGroup, type: "ingress", protocol: "tcp", fromPort: 1024, toPort: 65535, cidrBlocks: ["10.0.0.0/16"], // Only from VPC description: "Allow ephemeral ports for return traffic"});
// Custom application port rangeconst appPortsRule = await SecurityGroupRule("app-ports-rule", { securityGroup: appSecurityGroup, type: "ingress", protocol: "tcp", fromPort: 8000, toPort: 8999, sourceSecurityGroups: [webSecurityGroup], description: "Allow application ports from web tier"});ICMP Rules
Section titled “ICMP Rules”Allow ping and other ICMP traffic:
import { SecurityGroup, SecurityGroupRule } from "alchemy/aws/ec2";
// Allow ping from VPCconst pingRule = await SecurityGroupRule("allow-ping-rule", { securityGroup: adminSecurityGroup, type: "ingress", protocol: "icmp", fromPort: -1, // -1 indicates all ICMP types toPort: -1, // -1 indicates all ICMP codes cidrBlocks: ["10.0.0.0/16"], description: "Allow ping from VPC"});
// Allow specific ICMP type (echo request)const echoRule = await SecurityGroupRule("icmp-echo-rule", { securityGroup: webSecurityGroup, type: "ingress", protocol: "icmp", fromPort: 8, // Echo request type toPort: -1, // All codes for this type cidrBlocks: ["0.0.0.0/0"], description: "Allow ping from anywhere"});All Traffic Rules
Section titled “All Traffic Rules”Allow all traffic (use with caution):
import { SecurityGroup, SecurityGroupRule } from "alchemy/aws/ec2";
// Allow all traffic between security groups (common pattern)const allTrafficRule = await SecurityGroupRule("internal-all-traffic", { securityGroup: appSecurityGroup, type: "ingress", protocol: "-1", // All protocols fromPort: -1, toPort: -1, sourceSecurityGroups: [webSecurityGroup, dbSecurityGroup], description: "Allow all traffic from trusted security groups"});
// Development environment - allow all outboundconst devEgressRule = await SecurityGroupRule("dev-all-egress", { securityGroup: devSecurityGroup, type: "egress", protocol: "-1", fromPort: -1, toPort: -1, cidrBlocks: ["0.0.0.0/0"], description: "Development - allow all outbound traffic"});Multi-Source Rule
Section titled “Multi-Source Rule”Allow access from multiple sources:
import { SecurityGroup, SecurityGroupRule } from "alchemy/aws/ec2";
const multiSourceRule = await SecurityGroupRule("db-multi-access", { securityGroup: databaseSecurityGroup, type: "ingress", protocol: "tcp", fromPort: 5432, toPort: 5432, sourceSecurityGroups: [ webSecurityGroup, appSecurityGroup, adminSecurityGroup ], cidrBlocks: [ "10.0.0.0/16" // Also allow from VPC CIDR ], description: "Allow database access from multiple sources"});Custom Protocols
Section titled “Custom Protocols”Rules for custom protocols by number:
import { SecurityGroup, SecurityGroupRule } from "alchemy/aws/ec2";
// GRE protocol (protocol 47)const greRule = await SecurityGroupRule("vpn-gre-rule", { securityGroup: vpnSecurityGroup, type: "ingress", protocol: "47", // GRE protocol number fromPort: -1, toPort: -1, cidrBlocks: ["203.0.113.0/24"], description: "Allow GRE for VPN tunnel"});
// ESP protocol (protocol 50) for IPSecconst espRule = await SecurityGroupRule("vpn-esp-rule", { securityGroup: vpnSecurityGroup, type: "ingress", protocol: "50", // ESP protocol number fromPort: -1, toPort: -1, cidrBlocks: ["203.0.113.0/24"], description: "Allow ESP for IPSec VPN"});Reference by Security Group ID
Section titled “Reference by Security Group ID”Create rules using security group IDs:
import { SecurityGroupRule } from "alchemy/aws/ec2";
const existingSgRule = await SecurityGroupRule("existing-sg-rule", { securityGroup: "sg-1234567890abcdef0", type: "ingress", protocol: "tcp", fromPort: 80, toPort: 80, cidrBlocks: ["0.0.0.0/0"], description: "HTTP rule for existing security group"});Microservices Communication
Section titled “Microservices Communication”Rules for microservice-to-microservice communication:
import { SecurityGroup, SecurityGroupRule } from "alchemy/aws/ec2";
// API Gateway to User Serviceconst apiToUserRule = await SecurityGroupRule("api-to-user-rule", { securityGroup: userServiceSg, type: "ingress", protocol: "tcp", fromPort: 3001, toPort: 3001, sourceSecurityGroups: [apiGatewaySg], description: "API Gateway to User Service"});
// User Service to Order Serviceconst userToOrderRule = await SecurityGroupRule("user-to-order-rule", { securityGroup: orderServiceSg, type: "ingress", protocol: "tcp", fromPort: 3002, toPort: 3002, sourceSecurityGroups: [userServiceSg], description: "User Service to Order Service"});
// Services to shared databaseconst servicesToDbRule = await SecurityGroupRule("services-to-db-rule", { securityGroup: sharedDbSg, type: "ingress", protocol: "tcp", fromPort: 5432, toPort: 5432, sourceSecurityGroups: [ userServiceSg, orderServiceSg, paymentServiceSg ], description: "Allow database access from microservices"});Reference
Section titled “Reference”Access security group rule properties after creation:
const rule = await SecurityGroupRule("my-rule", { securityGroup: securityGroup, type: "ingress", protocol: "tcp", fromPort: 80, toPort: 80, cidrBlocks: ["0.0.0.0/0"]});
console.log(`Rule ID: ${rule.ruleId}`);console.log(`Security Group: ${rule.securityGroup}`);console.log(`Type: ${rule.type}`);console.log(`Protocol: ${rule.protocol}`);console.log(`Port Range: ${rule.fromPort}-${rule.toPort}`);