public static void AddIPAddressToSecurityGroup()
{
var ec2Client = new AmazonEC2Client();
//Create and Initialize IpPermission Object
var ipPermission = new IpPermission()
{
IpProtocol = "tcp",
FromPort = 3389, //RDP port
ToPort = 3389
};
ipPermission.IpRanges.Add(getExternalIp() + "/32");
//Create and initialize AuthorizeSecurityGroupIngress
var ingressRequest = new AuthorizeSecurityGroupIngressRequest();
ingressRequest.GroupId = ConfigurationManager.AppSettings["AWSSecurityGroupID"];
ingressRequest.IpPermissions.Add(ipPermission);
try
{
//Authorize Ingress
AuthorizeSecurityGroupIngressResponse ingressResponse =
ec2Client.AuthorizeSecurityGroupIngress(ingressRequest);
Console.WriteLine("IP address added to security group");
}
catch (Amazon.EC2.AmazonEC2Exception e)
{
Console.WriteLine("** IP Address already exists in the security group. **");
//Console.WriteLine("Error:" + e);
}
}
public void RemoveIngressPermission(IpPermission permission)
{
var request = new RevokeSecurityGroupIngressRequest
{
GroupId = GetSecurityGroup().GroupId,
IpPermissions = { permission }
};
try
{
client.RevokeSecurityGroupIngress(request);
}
catch (AmazonEC2Exception e)
{
// If the ingress rule didn't exist then don't complain.
if (e.ErrorCode.Equals("InvalidPermission.NotFound"))
{
logger.Warn("Tried to delete an ingress rule that did not exist in group " + request.GroupId);
return;
}
// If the group which should contain this rule does not
// exist then don't complain.
if (e.ErrorCode.Equals("InvalidGroup.NotFound"))
{
logger.Warn("Tried to delete an ingress rule from a group that does not exist " + request.GroupId);
return;
}
throw;
}
}
public void AddIngressPermission(IpPermission permission)
{
var request = new AuthorizeSecurityGroupIngressRequest
{
GroupId = GetSecurityGroup().GroupId,
IpPermissions = { permission }
};
try
{
client.AuthorizeSecurityGroupIngress(request);
}
catch (AmazonEC2Exception e)
{
// If the ingress rule already exists then don't complain. The
// user might have created it manually or they deleted their
// .last-config or .last-ip files.
if (e.ErrorCode.Equals("InvalidPermission.Duplicate"))
{
logger.Warn("Tried to create a duplicate ingress rule for group " + request.GroupId);
return;
}
throw;
}
}
private static void ManageSecurityGroups()
{
IAmazonEC2 ec2 = new Amazon.EC2.AmazonEC2Client();
var sgResponse = ec2.DescribeSecurityGroups();
string ipRange = "22.22.22.22/0";
List <string> ranges = new List <string>()
{
ipRange
};
var ipPermission = new IpPermission();
ipPermission.IpProtocol = "tcp";
ipPermission.FromPort = 3333;
ipPermission.ToPort = 3333;
ipPermission.IpRanges = ranges;
var ingressRequest = new AuthorizeSecurityGroupIngressRequest();
ingressRequest.IpPermissions.Add(ipPermission);
var revokeRequest = new RevokeSecurityGroupIngressRequest();
revokeRequest.IpPermissions.Add(ipPermission);
foreach (var sg in sgResponse.SecurityGroups)
{
try
{
if (new Random().Next(2) == 1)
{
ingressRequest.GroupId = sg.GroupId;
var ingressResponse = ec2.AuthorizeSecurityGroupIngress(ingressRequest);
}
else
{
revokeRequest.GroupId = sg.GroupId;
ec2.RevokeSecurityGroupIngress(revokeRequest);
}
//Console.WriteLine("New RDP rule for: " + ipRange);
}
catch (AmazonEC2Exception ex)
{
// Check the ErrorCode to see if the rule already exists.
if ("InvalidPermission.Duplicate" == ex.ErrorCode)
{
//Console.WriteLine("An RDP rule for: {0} already exists.", ipRange);
}
else
{
// The exception was thrown for another reason, so re-throw the exception.
//throw;
}
}
}
}
static async Task Revoke(IAmazonEC2 ec2Client, IpPermission ipPermission, string securityGroupId)
{
logger.LogInformation("Revoke {}: {}", securityGroupId, IpPermissionToString(ipPermission));
var revokeIngressRequest = new RevokeSecurityGroupIngressRequest();
revokeIngressRequest.GroupId = securityGroupId;
revokeIngressRequest.IpPermissions.Add(ipPermission);
var ingressResponse = await ec2Client.RevokeSecurityGroupIngressAsync(revokeIngressRequest);
logger.LogDebug("Unauthorize response code " + ingressResponse.HttpStatusCode);
}
static async Task Authorize(IAmazonEC2 ec2Client, IpPermission ipPermission, string securityGroupId)
{
logger.LogInformation("Authorize {}: {}", securityGroupId, IpPermissionToString(ipPermission));
var authorizeIngressRequest = new AuthorizeSecurityGroupIngressRequest();
authorizeIngressRequest.GroupId = securityGroupId;
authorizeIngressRequest.IpPermissions.Add(ipPermission);
var ingressResponse = await ec2Client.AuthorizeSecurityGroupIngressAsync(authorizeIngressRequest);
logger.LogDebug("Authorize response code {}", ingressResponse.HttpStatusCode);
}
static IpPermission CreateTCPPermission(string ipRange, int fromPort, int toPort)
{
var ipPermission = new IpPermission();
ipPermission.IpProtocol = "tcp";
ipPermission.FromPort = fromPort;
ipPermission.ToPort = toPort;
ipPermission.IpRanges = new List <string>()
{
ipRange
};
return(ipPermission);
}
private static string GetRuleText(IpPermission rule, string securityGroupId)
{
var ruleText = string.Empty;
if (rule != null)
{
var prefix = string.Empty;
if (rule.FromPort <= 0 && rule.ToPort <= 65535)
{
prefix = "All ";
}
var from = "Unknown";
if (rule.UserIdGroupPairs.Count > 0)
{
var group = GetSecurityGroupFromID(securityGroupId);
from = group.GroupName + " security group";
}
var to = "N/A";
if (rule.ToPort >= 0)
{
to = "port " + rule.ToPort;
}
if (rule.FromPort >= 0 && rule.FromPort < rule.ToPort)
{
to = "ports " + rule.FromPort + "-" + rule.ToPort;
}
if ((rule.FromPort == 0 && rule.ToPort == 0) || (rule.FromPort == 0 && rule.ToPort == 65535))
{
to = "all ports";
}
var protocol = rule.IpProtocol.ToUpper();
if (rule.IpProtocol.Equals("-1"))
{
protocol = "All protocol";
}
ruleText += prefix + protocol + " traffic to " + to + " from " + from + "." + Environment.NewLine;
}
return(ruleText);
}
SecurityGroup AddSGIPrermissions(IAmazonEC2 ec2, SecurityGroup SG)
{
string ipRange = "0.0.0.0/0";
List <string> ranges = new List <string>()
{
ipRange
};
var ipPermission1 = new IpPermission();
ipPermission1.IpProtocol = "tcp";
ipPermission1.FromPort = 22;
ipPermission1.ToPort = 22;
ipPermission1.IpRanges = ranges;
var ipPermission2 = new IpPermission();
ipPermission2.IpProtocol = "tcp";
ipPermission2.FromPort = 3389;
ipPermission2.ToPort = 3389;
ipPermission2.IpRanges = ranges;
// MessageBox.Show(SG.GroupId);
// foreach ( IpPermission ipper in SG.IpPermissions)
// {
// ipper.FromPort
//
// }
try
{
SG.IpPermissions.Add(ipPermission1);
SG.IpPermissions.Add(ipPermission2);
AuthorizeSecurityGroupIngressRequest authorizeSecurityGroupIngressRequest = new AuthorizeSecurityGroupIngressRequest();
authorizeSecurityGroupIngressRequest.GroupId = SG.GroupId;
//authorizeSecurityGroupIngressRequest.GroupName = MySG.GroupName;
authorizeSecurityGroupIngressRequest.IpPermissions.Add(ipPermission1);
authorizeSecurityGroupIngressRequest.IpPermissions.Add(ipPermission2);
ec2.AuthorizeSecurityGroupIngress(authorizeSecurityGroupIngressRequest);
}
catch (Exception ex)
{
}
return(SG);
}
private static string GetRangeText(IpPermission rule, string ipRange)
{
var rangeText = string.Empty;
if (!string.IsNullOrEmpty(ipRange))
{
var prefix = string.Empty;
if (rule.FromPort <= 0 && rule.ToPort <= 65535)
{
prefix = "All ";
}
var from = ipRange;
if (from == "0.0.0.0/0")
{
from = "anywhere";
}
var to = "N/A";
if (rule.ToPort >= 0)
{
to = "port " + rule.ToPort;
}
if (rule.FromPort >= 0 && rule.FromPort < rule.ToPort)
{
to = "ports " + rule.FromPort + "-" + rule.ToPort;
}
if ((rule.FromPort == 0 && rule.ToPort == 0) || (rule.FromPort == 0 && rule.ToPort == 65535))
{
to = "all ports";
}
var protocol = rule.IpProtocol.ToUpper();
if (rule.IpProtocol.Equals("-1"))
{
protocol = "All protocol";
}
rangeText += prefix + protocol + " traffic to " + to + " from " + from + "." + Environment.NewLine;
}
return(rangeText);
}
public void AddRuleToEc2SecurityGroup(String ipRange = "1.1.1.1/1", String ipProtocol = "tcp", int fromPort = 3389, int toPort = 3389
, string secGroupName = DefaultSecurityGroup)
{
List <string> ranges = new List <string>()
{
ipRange
};
var ipPermission = new IpPermission();
ipPermission.IpProtocol = ipProtocol;
ipPermission.FromPort = fromPort;
ipPermission.ToPort = toPort;
ipPermission.IpRanges = ranges;
var ingressRequest = new AuthorizeSecurityGroupIngressRequest();
ingressRequest.GroupId = secGroupName;
ingressRequest.IpPermissions.Add(ipPermission);
var ingressResponse = ec2Client.AuthorizeSecurityGroupIngress(ingressRequest);
}
public static async Task CloseInboundPort(AmazonEC2Client ec2Client, int port, string protocol, string securityGroupName)
{
var ipPermission = new IpPermission
{
FromPort = port,
ToPort = port,
IpProtocol = protocol,
Ipv4Ranges = new List <IpRange> {
new IpRange {
CidrIp = "0.0.0.0/0"
}
}
};
var ipPermissions = new List <IpPermission> {
ipPermission
};
var request = new RevokeSecurityGroupIngressRequest
{
GroupName = securityGroupName,
IpPermissions = ipPermissions
};
var response = await ec2Client.RevokeSecurityGroupIngressAsync(request);
}
public void IpRangeRoundTripTest()
{
var describeSecurityGroupsResponse = DescribeSecurityGroupById();
var testCollection = new List <string>();
var authorizeSecurityGroupEgressRequest = new AuthorizeSecurityGroupEgressRequest();
authorizeSecurityGroupEgressRequest.GroupId = SECURITY_GROUP_ID;
IpPermission authorizeSecurityGroupEgressPermission = new IpPermission();
authorizeSecurityGroupEgressPermission.IpRanges.Add("0.0.0.0/7");
testCollection.Add("0.0.0.0/7");
authorizeSecurityGroupEgressPermission.IpProtocol = "ICMP";
authorizeSecurityGroupEgressPermission.FromPort = -1;
authorizeSecurityGroupEgressPermission.ToPort = -1;
authorizeSecurityGroupEgressRequest.IpPermissions = new List <IpPermission> {
authorizeSecurityGroupEgressPermission
};
var authorizeSecurityGroupEgressResponse = Client.AuthorizeSecurityGroupEgress(authorizeSecurityGroupEgressRequest);
Assert.IsNotNull(authorizeSecurityGroupEgressResponse);
Assert.IsFalse(authorizeSecurityGroupEgressRequest.IpPermissions[0].Ipv4Ranges.Any());
UtilityMethods.WaitUntilSuccess(() =>
{
describeSecurityGroupsResponse = DescribeSecurityGroupById();
CollectionAssert.AreEqual(describeSecurityGroupsResponse.SecurityGroups[0].IpPermissionsEgress[1].IpRanges, testCollection);
CollectionAssert.AreEqual(describeSecurityGroupsResponse.SecurityGroups[0].IpPermissionsEgress[1].Ipv4Ranges.Select(p => p.CidrIp).ToList(), testCollection);
});
authorizeSecurityGroupEgressRequest = new AuthorizeSecurityGroupEgressRequest();
authorizeSecurityGroupEgressRequest.GroupId = SECURITY_GROUP_ID;
describeSecurityGroupsResponse.SecurityGroups[0].IpPermissionsEgress[1].Ipv4Ranges = new List <IpRange> {
new IpRange {
CidrIp = "0.0.0.0/8", Description = "TestDescription"
}
};
testCollection.Add("0.0.0.0/8");
authorizeSecurityGroupEgressRequest.IpPermissions = new List <IpPermission> {
describeSecurityGroupsResponse.SecurityGroups[0].IpPermissionsEgress[1]
};
authorizeSecurityGroupEgressResponse = Client.AuthorizeSecurityGroupEgress(authorizeSecurityGroupEgressRequest);
var validationResult = new List <string>();
UtilityMethods.WaitUntilSuccess(() =>
{
describeSecurityGroupsResponse = DescribeSecurityGroupById();
validationResult = describeSecurityGroupsResponse.SecurityGroups[0].IpPermissionsEgress[1].Ipv4Ranges.Select(p => p.CidrIp).ToList();
CollectionAssert.AreEqual(describeSecurityGroupsResponse.SecurityGroups[0].IpPermissionsEgress[1].IpRanges, testCollection);
CollectionAssert.AreEqual(describeSecurityGroupsResponse.SecurityGroups[0].IpPermissionsEgress[1].IpRanges, validationResult);
});
authorizeSecurityGroupEgressRequest = new AuthorizeSecurityGroupEgressRequest();
authorizeSecurityGroupEgressRequest.GroupId = SECURITY_GROUP_ID;
describeSecurityGroupsResponse.SecurityGroups[0].IpPermissionsEgress[1].Ipv4Ranges = new List <IpRange> {
new IpRange {
CidrIp = "0.0.0.0/9", Description = "TestDescription"
}
};
describeSecurityGroupsResponse.SecurityGroups[0].IpPermissionsEgress[1].IpRanges = new List <string> {
"0.0.0.0/10"
};
authorizeSecurityGroupEgressRequest.IpPermissions = new List <IpPermission> {
describeSecurityGroupsResponse.SecurityGroups[0].IpPermissionsEgress[1]
};
var authorizeSecurityGroupEgressException = Assert.ThrowsException <ArgumentException>(() => Client.AuthorizeSecurityGroupEgress(authorizeSecurityGroupEgressRequest));
Assert.AreEqual(authorizeSecurityGroupEgressException.Message, "Cannot set values for both Ipv4Ranges and IpRanges properties on the IpPermission type which is part of the request. Consider using only Ipv4Ranges as IpRanges has been marked obsolete.");
authorizeSecurityGroupEgressRequest = new AuthorizeSecurityGroupEgressRequest();
authorizeSecurityGroupEgressRequest.GroupId = SECURITY_GROUP_ID;
describeSecurityGroupsResponse.SecurityGroups[0].IpPermissionsEgress[1].Ipv4Ranges = new List <IpRange> {
new IpRange {
CidrIp = "0.0.0.0/9", Description = "TestDescription"
}
};
describeSecurityGroupsResponse.SecurityGroups[0].IpPermissionsEgress[1].IpRanges = new List <string> {
"0.0.0.0/9"
};
testCollection.Add("0.0.0.0/9");
authorizeSecurityGroupEgressRequest.IpPermissions = new List <IpPermission> {
describeSecurityGroupsResponse.SecurityGroups[0].IpPermissionsEgress[1]
};
authorizeSecurityGroupEgressResponse = Client.AuthorizeSecurityGroupEgress(authorizeSecurityGroupEgressRequest);
UtilityMethods.WaitUntilSuccess(() =>
{
describeSecurityGroupsResponse = DescribeSecurityGroupById();
validationResult = describeSecurityGroupsResponse.SecurityGroups[0].IpPermissionsEgress[1].Ipv4Ranges.Select(p => p.CidrIp).ToList();
CollectionAssert.AreEqual(describeSecurityGroupsResponse.SecurityGroups[0].IpPermissionsEgress[1].IpRanges, testCollection);
CollectionAssert.AreEqual(describeSecurityGroupsResponse.SecurityGroups[0].IpPermissionsEgress[1].IpRanges, validationResult);
});
authorizeSecurityGroupEgressRequest.IpPermissions[0].Ipv4Ranges = new List <IpRange> {
new IpRange {
CidrIp = "0.0.0.0/10", Description = "TestDescription"
}, new IpRange {
CidrIp = "0.0.0.0/11", Description = "TestDescription"
}
};
authorizeSecurityGroupEgressRequest.IpPermissions[0].IpRanges = new List <string> {
"0.0.0.0/10", "0.0.0.0/11"
};
testCollection.Add("0.0.0.0/10");
testCollection.Add("0.0.0.0/11");
authorizeSecurityGroupEgressResponse = Client.AuthorizeSecurityGroupEgress(authorizeSecurityGroupEgressRequest);
UtilityMethods.WaitUntilSuccess(() =>
{
describeSecurityGroupsResponse = DescribeSecurityGroupById();
validationResult = describeSecurityGroupsResponse.SecurityGroups[0].IpPermissionsEgress[1].Ipv4Ranges.Select(p => p.CidrIp).ToList();
CollectionAssert.AreEqual(describeSecurityGroupsResponse.SecurityGroups[0].IpPermissionsEgress[1].IpRanges, testCollection);
CollectionAssert.AreEqual(describeSecurityGroupsResponse.SecurityGroups[0].IpPermissionsEgress[1].IpRanges, validationResult);
});
var updateSecurityGroupEgressRequest = new UpdateSecurityGroupRuleDescriptionsEgressRequest();
updateSecurityGroupEgressRequest.GroupId = SECURITY_GROUP_ID;
describeSecurityGroupsResponse.SecurityGroups[0].IpPermissionsEgress[1].IpRanges = new List <string> {
"0.0.0.0/8"
};
updateSecurityGroupEgressRequest.IpPermissions = new List <IpPermission> {
describeSecurityGroupsResponse.SecurityGroups[0].IpPermissionsEgress[1]
};
var updateSecurityGroupEgressResponse = Client.UpdateSecurityGroupRuleDescriptionsEgress(updateSecurityGroupEgressRequest);
Assert.IsNotNull(updateSecurityGroupEgressResponse);
UtilityMethods.WaitUntilSuccess(() =>
{
describeSecurityGroupsResponse = DescribeSecurityGroupById();
validationResult = describeSecurityGroupsResponse.SecurityGroups[0].IpPermissionsEgress[1].Ipv4Ranges.Select(p => p.CidrIp).ToList();
CollectionAssert.AreEqual(describeSecurityGroupsResponse.SecurityGroups[0].IpPermissionsEgress[1].IpRanges, validationResult);
var descriptionTest = describeSecurityGroupsResponse.SecurityGroups[0].IpPermissionsEgress[1].Ipv4Ranges.Where(p => p.CidrIp == "0.0.0.0/8").Select(p => p.Description).Single().ToString();
Assert.AreEqual(descriptionTest, "TestDescription");
});
var revokeSecurityGroupEgressRequest = new RevokeSecurityGroupEgressRequest();
revokeSecurityGroupEgressRequest.GroupId = SECURITY_GROUP_ID;
revokeSecurityGroupEgressRequest.IpPermissions = new List <IpPermission> {
describeSecurityGroupsResponse.SecurityGroups[0].IpPermissionsEgress[1]
};
var revokeSecurityGroupIngressResponse = Client.RevokeSecurityGroupEgress(revokeSecurityGroupEgressRequest);
Assert.IsNotNull(revokeSecurityGroupIngressResponse);
UtilityMethods.WaitUntilSuccess(() =>
{
describeSecurityGroupsResponse = DescribeSecurityGroupById();
Assert.IsFalse(describeSecurityGroupsResponse.SecurityGroups[0].IpPermissionsEgress
.Where(p => p.Ipv4Ranges.Contains(new IpRange {
CidrIp = "0.0.0.0/8", Description = "TestDescription"
}) || p.Ipv4Ranges.Contains(new IpRange {
CidrIp = "0.0.0.0/7"
}) || p.IpRanges.Contains("0.0.0.0/7") || p.IpRanges.Contains("0.0.0.0/8")).ToList().Any());
});
}
/// <summary>
/// This method will create a VPC, a public subnet, private subnet and a NAT EC2 instance to allow EC2 instances in the private
/// subnet to establish outbound connections to the internet.
/// </summary>
/// <param name="ec2Client">The ec2client used to create the VPC</param>
/// <param name="request">The properties used to create the VPC.</param>
/// <returns>The response contains all the VPC objects that were created.</returns>
public static LaunchVPCWithPublicAndPrivateSubnetsResponse LaunchVPCWithPublicAndPrivateSubnets(IAmazonEC2 ec2Client, LaunchVPCWithPublicAndPrivateSubnetsRequest request)
{
LaunchVPCWithPublicAndPrivateSubnetsResponse response = new LaunchVPCWithPublicAndPrivateSubnetsResponse();
LaunchVPCWithPublicSubnet(ec2Client, request, response);
response.PrivateSubnet = ec2Client.CreateSubnet(new CreateSubnetRequest()
{
AvailabilityZone = request.PrivateSubnetAvailabilityZone ?? response.PublicSubnet.AvailabilityZone,
CidrBlock = request.PrivateSubnetCiderBlock,
VpcId = response.VPC.VpcId
}).Subnet;
WriteProgress(request.ProgressCallback, "Created private subnet {0}", response.PublicSubnet.SubnetId);
WaitTillTrue(((Func <bool>)(() => (ec2Client.DescribeSubnets(new DescribeSubnetsRequest()
{
SubnetIds = new List <string>()
{
response.PrivateSubnet.SubnetId
}
}).Subnets.Count == 1))));
ec2Client.CreateTags(new CreateTagsRequest()
{
Resources = new List <string>()
{
response.PrivateSubnet.SubnetId
},
Tags = new List <Tag>()
{
new Tag()
{
Key = "Name", Value = "Private"
}
}
});
WriteProgress(request.ProgressCallback, "Launching NAT instance");
response.NATInstance = LaunchNATInstance(ec2Client, new LaunchNATInstanceRequest()
{
InstanceType = request.InstanceType,
KeyName = request.KeyName,
SubnetId = response.PublicSubnet.SubnetId
});
WriteProgress(request.ProgressCallback, "NAT instance is available");
var defaultRouteTable = GetDefaultRouteTable(ec2Client, response.VPC.VpcId);
if (defaultRouteTable == null)
{
throw new AmazonEC2Exception("No default route table found for VPC");
}
ec2Client.CreateRoute(new CreateRouteRequest()
{
RouteTableId = defaultRouteTable.RouteTableId,
DestinationCidrBlock = "0.0.0.0/0",
InstanceId = response.NATInstance.InstanceId
});
WriteProgress(request.ProgressCallback, "Added route to the NAT instance in the default route table");
if (request.ConfigureDefaultVPCGroupForNAT)
{
var defaultSecurityGroup = GetDefaultSecurityGroup(ec2Client, response.VPC.VpcId);
var groupId = ec2Client.CreateSecurityGroup(new CreateSecurityGroupRequest()
{
VpcId = response.VPC.VpcId,
GroupName = "NATGroup",
Description = "Give EC2 Instances access through the NAT"
}).GroupId;
WriteProgress(request.ProgressCallback, "Created security group for NAT configuration");
IpPermission spec = new IpPermission
{
IpProtocol = "-1",
IpRanges = new List <string> {
"0.0.0.0/0"
},
UserIdGroupPairs = new List <UserIdGroupPair>()
{
new UserIdGroupPair()
{
GroupId = groupId
}
}
};
ec2Client.AuthorizeSecurityGroupIngress(new AuthorizeSecurityGroupIngressRequest()
{
IpPermissions = new List <IpPermission>()
{
spec
},
GroupId = defaultSecurityGroup.GroupId
});
WriteProgress(request.ProgressCallback, "Added permission to the default security group {0} to allow traffic from security group {1}", defaultSecurityGroup.GroupId, groupId);
response.NATSecurityGroup = ec2Client.DescribeSecurityGroups(new DescribeSecurityGroupsRequest()
{
GroupIds = new List <string>()
{
groupId
}
}).SecurityGroups[0];
}
return(response);
}
// enumerate VPC security group and create a security group for EC2-VPC
public void create_lunch_checkstatus_for_istance()
{
//Create an Amazon EC2 Client Using the the SDK
var ec2Client = new AmazonEC2Client();
// enumerate VPC security group
string secGroupName = "my-sample-sg-vpc";
SecurityGroup mySG = null;
string vpcID = "vpc-7cdc5904";
Amazon.EC2.Model.Filter vpcFilter = new Amazon.EC2.Model.Filter
{
Name = "vpc-id",
Values = new List <string>()
{
vpcID
}
};
var dsgRequest = new DescribeSecurityGroupsRequest();
dsgRequest.Filters.Add(vpcFilter);
var dsgResponse = ec2Client.DescribeSecurityGroups(dsgRequest);
List <SecurityGroup> mySGs = dsgResponse.SecurityGroups;
foreach (SecurityGroup item in mySGs)
{
Console.WriteLine("Existing security group: " + item.GroupId);
if (item.GroupName == secGroupName)
{
mySG = item;
}
}
//create a security group for EC2-VPC
if (mySG == null)
{
var newSGRequest = new CreateSecurityGroupRequest()
{
GroupName = secGroupName,
Description = "My sample security group for EC2-VPC",
VpcId = vpcID
};
var csgResponse = ec2Client.CreateSecurityGroup(newSGRequest);
Console.WriteLine();
Console.WriteLine("New security group: " + csgResponse.GroupId);
List <string> Groups = new List <string>()
{
csgResponse.GroupId
};
var newSgRequest = new DescribeSecurityGroupsRequest()
{
GroupIds = Groups
};
var newSgResponse = ec2Client.DescribeSecurityGroups(newSgRequest);
mySG = newSgResponse.SecurityGroups[0];
}
//Create and initialize an IpPermission object.
//iprange = the IP addresses of your local machine
string ipRange = "0.0.0.0/0";
List <string> ranges = new List <string>()
{
ipRange
};
var ipPermission = new IpPermission()
{
IpProtocol = "tcp",
//The beginning and end of the port range. This example specifies a single port, 3389, which is used to communicate with Windows over RDP.
//it should be changed if u launch a linux instance (use 22 insted )
FromPort = 3389,
ToPort = 3389,
IpRanges = ranges
};
//Create and initialize an AuthorizeSecurityGroupIngressRequest object.
var ingressRequest = new AuthorizeSecurityGroupIngressRequest();
ingressRequest.GroupId = mySG.GroupId;
ingressRequest.IpPermissions.Add(ipPermission);
//Pass the request object to the AuthorizeSecurityGroupIngress method, which returns an AuthorizeSecurityGroupIngressResponse object.
var ingressResponse = ec2Client.AuthorizeSecurityGroupIngress(ingressRequest);
Console.WriteLine("New RDP rule for: " + ipRange);
//Create and initialize a network interface.for lunch enstance
string subnetID = "subnet-048d6c59";
List <string> groups = new List <string>()
{
mySG.GroupId
};
var eni = new InstanceNetworkInterfaceSpecification()
{
DeviceIndex = 0,
SubnetId = subnetID,
Groups = groups,
AssociatePublicIpAddress = true
};
List <InstanceNetworkInterfaceSpecification> enis = new List <InstanceNetworkInterfaceSpecification>()
{
eni
};
string amiID = "ami-06a0d33fc8d328de0";
string keyPairName = "my-sample-key";
var launchRequest = new RunInstancesRequest()
{
ImageId = amiID,
InstanceType = "m3.large",
MinCount = 1,
MaxCount = 1,
KeyName = keyPairName,
NetworkInterfaces = enis
};
//launch
RunInstancesResponse launchResponse = ec2Client.RunInstances(launchRequest);
List <String> instanceIds = new List <string>();
foreach (Instance instance in launchResponse.Reservation.Instances)
{
Console.WriteLine(instance.InstanceId);
instanceIds.Add(instance.InstanceId);
}
//check the status of the enstance
var instanceRequest = new DescribeInstancesRequest();
instanceRequest.InstanceIds = new List <string>();
instanceRequest.InstanceIds.AddRange(instanceIds);
var response = ec2Client.DescribeInstances(instanceRequest);
Console.WriteLine(response.Reservations[0].Instances[0].State.Name);
}
public bool load_security_group_id()
{
write_log(region + " のセキュリティグループを確認しています。");
try
{
var client = get_client();
var query_req = new DescribeSecurityGroupsRequest();
query_req.Filters.Add(new Filter()
{
Name = "tag-value", Values = new List <string>()
{
Helper.build_name(setting_, "sg")
}
});
var query_res = client.DescribeSecurityGroups(query_req);
write_log("自 IPAddress を確認しています。");
string ipaddress = Helper.get_remote_ipaddress() + "/32";
if (query_res.SecurityGroups.Count != 0)
{
security_group_id = query_res.SecurityGroups[0].GroupId;
foreach (var row in query_res.SecurityGroups[0].IpPermissions)
{
foreach (var row2 in row.IpRanges)
{
if (row2.Equals(ipaddress))
{
write_log(region + " のセキュリティグループは " + security_group_id + " です");
return(true);
}
}
}
}
else
{
write_log(region + " にセキュリティグループを作成しています。");
var create_req = new CreateSecurityGroupRequest();
create_req.VpcId = vpc_id;
create_req.GroupName = "ingress_ssh-sg";
create_req.Description = "from specific ipaddress.";
var create_res = client.CreateSecurityGroup(create_req);
security_group_id = create_res.GroupId;
set_name_tag(client, security_group_id, Helper.build_name(setting_, "sg"));
write_log("セキュリティグループ " + security_group_id + " を作成しました。");
}
write_log("セキュリティグループ " + security_group_id + " に " + ipaddress + " を関連付けます。");
IpPermission ipPermission_22 = new IpPermission();
ipPermission_22.ToPort = 22;
ipPermission_22.FromPort = 22;
ipPermission_22.IpProtocol = "6";
ipPermission_22.IpRanges.Add(ipaddress);
IpPermission ipPermission_53556 = new IpPermission();
ipPermission_53556.ToPort = 53556;
ipPermission_53556.FromPort = 53556;
ipPermission_53556.IpProtocol = "6";
ipPermission_53556.IpRanges.Add(ipaddress);
var authorize_req = new AuthorizeSecurityGroupIngressRequest();
authorize_req.GroupId = security_group_id;
authorize_req.IpPermissions = new List <IpPermission>()
{
ipPermission_22, ipPermission_53556
};
client.AuthorizeSecurityGroupIngress(authorize_req);
set_name_tag(client, security_group_id, Helper.build_name(setting_, "sg"));
write_log("セキュリティグループ " + security_group_id + " を作成しました。");
}
catch (Exception ex)
{
write_log("ERROR: " + ex.ToString());
return(false);
}
return(true);
}
static async Task <string> CreateFleet(string name, string version, string buildId)
{
var config = new AmazonGameLiftConfig();
config.RegionEndpoint = region;
using (AmazonGameLiftClient aglc = new AmazonGameLiftClient(config))
{
// create launch configuration
var serverProcess = new ServerProcess();
serverProcess.ConcurrentExecutions = 1;
serverProcess.LaunchPath = @"C:\game\GameLiftUnity.exe"; // @"/local/game/ReproGLLinux.x86_64";
serverProcess.Parameters = "-batchmode -nographics";
// create inbound IP permissions
var permission1 = new IpPermission();
permission1.FromPort = 1935;
permission1.ToPort = 1935;
permission1.Protocol = IpProtocol.TCP;
permission1.IpRange = "0.0.0.0/0";
// create inbound IP permissions
var permission2 = new IpPermission();
permission2.FromPort = 3389;
permission2.ToPort = 3389;
permission2.Protocol = IpProtocol.TCP;
permission2.IpRange = "0.0.0.0/0";
// create fleet
var cfreq = new CreateFleetRequest();
cfreq.Name = name;
cfreq.Description = version;
cfreq.BuildId = buildId;
cfreq.EC2InstanceType = EC2InstanceType.C4Large;
cfreq.EC2InboundPermissions.Add(permission1);
cfreq.EC2InboundPermissions.Add(permission2);
cfreq.RuntimeConfiguration = new RuntimeConfiguration();
cfreq.RuntimeConfiguration.ServerProcesses = new List <ServerProcess>();
cfreq.RuntimeConfiguration.ServerProcesses.Add(serverProcess);
cfreq.NewGameSessionProtectionPolicy = ProtectionPolicy.NoProtection;
CreateFleetResponse cfres = await aglc.CreateFleetAsync(cfreq);
// set fleet capacity
var ufcreq = new UpdateFleetCapacityRequest();
ufcreq.MinSize = 0;
ufcreq.DesiredInstances = 1;
ufcreq.MaxSize = 1;
ufcreq.FleetId = cfres.FleetAttributes.FleetId;
UpdateFleetCapacityResponse ufcres = await aglc.UpdateFleetCapacityAsync(ufcreq);
// set scaling rule (switch fleet off after 1 day of inactivity)
// If [MetricName] is [ComparisonOperator] [Threshold] for [EvaluationPeriods] minutes, then [ScalingAdjustmentType] to/by [ScalingAdjustment].
var pspreq = new PutScalingPolicyRequest();
pspreq.Name = "Switch fleet off after 1 day of inactivity";
pspreq.MetricName = MetricName.ActiveGameSessions;
pspreq.ComparisonOperator = ComparisonOperatorType.LessThanOrEqualToThreshold;
pspreq.Threshold = 0.0; // double (don't use int)
pspreq.EvaluationPeriods = 1435; // just under 1 day, 1435 appears to be the maximum permitted value now.
pspreq.ScalingAdjustmentType = ScalingAdjustmentType.ExactCapacity;
pspreq.ScalingAdjustment = 0;
pspreq.FleetId = cfres.FleetAttributes.FleetId;
PutScalingPolicyResponse pspres = await aglc.PutScalingPolicyAsync(pspreq);
return(cfres.FleetAttributes.FleetId);
}
}
//[Obsolete]
public async Task <string> CreateEC2InstanceAsync(int serverType = 0)
{
string secGroupName = "myec2";
string instanceID = "";
if (serverType == (int)AWSConstants.server_types.EC2)
{
//Step 1:- check for the security Groups
var isSGExists = await IsSecurityGroupsExistsAsync(secGroupName);
//Step 2:- Create Security Groups
if (!isSGExists)
{
SecurityGroup securityGroup = CreateSecurityGroupAsync(secGroupName).Result;
string ipRange = "0.0.0.0/0";
List <string> ranges = new List <string>
{
ipRange
};
//Step 3:- Attach the IP Permissions
IpPermission ipPermission = new IpPermission()
{
IpProtocol = "All traffic",
FromPort = 0,
ToPort = 65535,
IpRanges = ranges
};
var ingressRequest = new AuthorizeSecurityGroupIngressRequest();
ingressRequest.GroupId = securityGroup.GroupId;
ingressRequest.IpPermissions.Add(ipPermission);
var ingressResponse = amazonEC2Client.AuthorizeSecurityGroupIngressAsync(ingressRequest);
//Step 4:- Create Key Pairs (.pem file)
string keyPairName = CreateKeyPair();
//Step 5:- Create Launch Request Object
string amiID = "ami-0b6158cfa2ae7b493";
List <string> groups = new List <string>()
{
securityGroup.GroupId
};
var launchRequest = new RunInstancesRequest()
{
ImageId = amiID,
InstanceType = "t2.micro",
MinCount = 1,
MaxCount = 1,
KeyName = keyPairName,
SecurityGroupIds = groups
};
var launchResponse = await amazonEC2Client.RunInstancesAsync(launchRequest);
var instances = launchResponse.Reservation.Instances;
var instanceIds = new List <string>();
foreach (Instance item in instances)
{
instanceIds.Add(item.InstanceId);
Console.WriteLine();
Console.WriteLine("New instance: " + item.InstanceId);
Console.WriteLine("Instance state: " + item.State.Name);
}
//Step 6:- Describe Instances to know the status of the instances
var instanceRequest = new DescribeInstancesRequest
{
InstanceIds = new List <string>
{
instanceIds[0]
}
};
while (true)
{
var response = await amazonEC2Client.DescribeInstancesAsync(instanceRequest);
if (response.Reservations[0].Instances[0].State.Name == InstanceStateName.Running)
{
instanceID = response.Reservations[0].Instances[0].PublicDnsName + "With the status of " + InstanceStateName.Running;
break;
}
}
}
}
return(instanceID);
}
private void create_security_group_rule(string key, string secret, Amazon.RegionEndpoint region, string security_group, string serverports, string ipEnpoint = "")
{
HttpStatusCode ret = HttpStatusCode.OK;
string ip = "0.0.0.0";
MailAddress fromMailer = null;
MailAddress toMailer = null;
string mailhost = "";
int mailport = 0;
bool mailssl = false;
string mailuser = "";
string mailpass = "";
bool loadConfig = true;
string partialmsg = "";
if (ipEnpoint != string.Empty)
{
ip = get_external_ip(ipEnpoint);
}
if (loadConfig)
{
try
{
fromMailer = new MailAddress(ConfigurationManager.AppSettings["MAIL-FROM"].ToString());
toMailer = new MailAddress(ConfigurationManager.AppSettings["MAIL-TO"].ToString());
mailhost = ConfigurationManager.AppSettings["MAIL-HOST"].ToString();
mailport = int.Parse(ConfigurationManager.AppSettings["MAIL-PORT"].ToString());
mailssl = bool.Parse(ConfigurationManager.AppSettings["MAIL-SSL"].ToString());
mailuser = ConfigurationManager.AppSettings["MAIL-USER"].ToString();
mailpass = ConfigurationManager.AppSettings["MAIL-PASS"].ToString();
ipEnpoint = ConfigurationManager.AppSettings["IP-ENDPOINT"].ToString();
ip = get_external_ip(ipEnpoint);
}
catch { loadConfig = false; }
}
if (ip != "")
{
try
{
AmazonEC2Client ec2Client = null;
AWSCredentials credentials = new Amazon.Runtime.BasicAWSCredentials(key, secret);
ec2Client = new AmazonEC2Client(credentials, region);
IpRange ipRange = new IpRange
{
CidrIp = ip + "/32",
Description = "Rule created by aws-security-group-access-rule at " + DateTime.Now.ToString()
};
var ingressRequest = new AuthorizeSecurityGroupIngressRequest
{
GroupId = security_group
};
var listaPortas = serverports.Split(',');
foreach (var item in listaPortas)
{
var ipPermission = new IpPermission
{
IpProtocol = "tcp",
FromPort = Int16.Parse(item),
ToPort = Int16.Parse(item)
};
ipPermission.Ipv4Ranges.Add(ipRange);
ingressRequest.IpPermissions.Add(ipPermission);
}
var ingressResponse = ec2Client.AuthorizeSecurityGroupIngress(ingressRequest);
partialmsg += "[AWS Response :: " + ingressResponse.HttpStatusCode.ToString() + "]";
ret = ingressResponse.HttpStatusCode;
#region Debug Section
/*
* switch (ingressResponse.HttpStatusCode)
* {
* case HttpStatusCode.Continue: partialmsg += ""; break;
* case HttpStatusCode.SwitchingProtocols: partialmsg += ""; break;
* case HttpStatusCode.OK: partialmsg += ""; break;
* case HttpStatusCode.Created: partialmsg += ""; break;
* case HttpStatusCode.Accepted: partialmsg += ""; break;
* case HttpStatusCode.NonAuthoritativeInformation: partialmsg += ""; break;
* case HttpStatusCode.NoContent: partialmsg += ""; break;
* case HttpStatusCode.ResetContent: partialmsg += ""; break;
* case HttpStatusCode.PartialContent: partialmsg += ""; break;
* case HttpStatusCode.MultipleChoices: partialmsg += ""; break;
* case HttpStatusCode.MovedPermanently: partialmsg += ""; break;
* case HttpStatusCode.Found: partialmsg += ""; break;
* case HttpStatusCode.SeeOther: partialmsg += ""; break;
* case HttpStatusCode.NotModified: partialmsg += ""; break;
* case HttpStatusCode.UseProxy: partialmsg += ""; break;
* case HttpStatusCode.Unused: partialmsg += ""; break;
* case HttpStatusCode.TemporaryRedirect: partialmsg += ""; break;
* case HttpStatusCode.BadRequest: partialmsg += ""; break;
* case HttpStatusCode.Unauthorized: partialmsg += ""; break;
* case HttpStatusCode.PaymentRequired: partialmsg += ""; break;
* case HttpStatusCode.Forbidden: partialmsg += ""; break;
* case HttpStatusCode.NotFound: partialmsg += ""; break;
* case HttpStatusCode.MethodNotAllowed: partialmsg += ""; break;
* case HttpStatusCode.NotAcceptable: partialmsg += ""; break;
* case HttpStatusCode.ProxyAuthenticationRequired: partialmsg += ""; break;
* case HttpStatusCode.RequestTimeout: partialmsg += ""; break;
* case HttpStatusCode.Conflict: partialmsg += ""; break;
* case HttpStatusCode.Gone: partialmsg += ""; break;
* case HttpStatusCode.LengthRequired: partialmsg += ""; break;
* case HttpStatusCode.PreconditionFailed: partialmsg += ""; break;
* case HttpStatusCode.RequestEntityTooLarge: partialmsg += ""; break;
* case HttpStatusCode.RequestUriTooLong: partialmsg += ""; break;
* case HttpStatusCode.UnsupportedMediaType: partialmsg += ""; break;
* case HttpStatusCode.RequestedRangeNotSatisfiable: partialmsg += ""; break;
* case HttpStatusCode.ExpectationFailed: partialmsg += ""; break;
* case HttpStatusCode.UpgradeRequired: partialmsg += ""; break;
* case HttpStatusCode.InternalServerError: partialmsg += ""; break;
* case HttpStatusCode.NotImplemented: partialmsg += ""; break;
* case HttpStatusCode.BadGateway: partialmsg += ""; break;
* case HttpStatusCode.ServiceUnavailable: partialmsg += ""; break;
* case HttpStatusCode.GatewayTimeout: partialmsg += ""; break;
* case HttpStatusCode.HttpVersionNotSupported: partialmsg += ""; break;
* }
*/
#endregion
}
catch (AmazonEC2Exception ex)
{
ret = ex.StatusCode;
partialmsg += "[ERROR-CODE " + ex.ErrorCode + "] " + ex.Message + "<BR>";
}
finally
{
if (loadConfig)
{
sendEmail(mailhost, mailport, mailssl, mailuser, mailpass, fromMailer, toMailer,
"[aws-security-group-access-rule]" + ret.ToString(),
string.Format("Access granted to ports {1} by IP {0}",
ip, serverports)
);
}
}
}
void sendEmail(string hostname, int port, bool ssl, string user, string pass, MailAddress fromMail, MailAddress toMail, string subject, string message, bool ishtml = false)
{
MailMessage msg = new MailMessage
{
Subject = subject,
Body = message,
IsBodyHtml = ishtml,
Priority = MailPriority.High,
From = fromMail
};
msg.To.Add(toMail);
SmtpClient mailClient = new SmtpClient
{
Host = hostname,
Port = port,
UseDefaultCredentials = false,
Credentials = new NetworkCredential(user, pass),
EnableSsl = ssl
};
mailClient.Send(msg);
}
}
static void Main(string[] args)
{
Amazon.EC2.AmazonEC2Client ec2 = new Amazon.EC2.AmazonEC2Client(RegionEndpoint.APSoutheast2);
var securityGroups = ec2.DescribeSecurityGroupsAsync().Result.SecurityGroups;
foreach (var securityGroup in securityGroups)
{
var dict = securityGroup.IpPermissions.ToList();
var newDict = dict.ToList();
foreach (var rule in dict)
{
if (rule.Ipv4Ranges != null)
{
foreach (var ipv4rule in rule.Ipv4Ranges.ToList())
{
var rulesRegex = new Regex(@"\[(?:\[[^\[\]]*\]|[^\[\]])*\]", RegexOptions.None);
if (ipv4rule.Description == null)
{
continue;
}
var m = rulesRegex.Matches(ipv4rule.Description).ToList();
if (m == null)
{
continue;
}
foreach (Group g in m)
{
var extension = g.Value.Split(new[] { '[', ']' }, StringSplitOptions.RemoveEmptyEntries).ToDictionary(s => s.Split('=')[0], s => s.Split('=')[1]).FirstOrDefault();
if (extension.Key == "fqdn")
{
//get ip from DNS
var newIP = Dns.GetHostEntry(extension.Value).AddressList.FirstOrDefault().ToString() + "/32";
if (ipv4rule.CidrIp == newIP)
{
Console.WriteLine("Didn't update security group. Cidr Still matches");
}
else
{
IpPermission oldPermission = new IpPermission
{
FromPort = rule.FromPort,
IpProtocol = rule.IpProtocol,
ToPort = rule.ToPort
};
oldPermission.Ipv4Ranges.Add(ipv4rule);
var oldlistofpermissions = new List <IpPermission>();
oldlistofpermissions.Add(oldPermission);
//revoke that one rule.
ec2.RevokeSecurityGroupIngressAsync(new Amazon.EC2.Model.RevokeSecurityGroupIngressRequest {
GroupId = securityGroup.GroupId, IpPermissions = oldlistofpermissions
}).Wait();
//add the new one.
IpPermission newPermission = new IpPermission
{
FromPort = rule.FromPort,
IpProtocol = rule.IpProtocol,
ToPort = rule.ToPort
};
var newiprange = new IpRange();
newiprange.CidrIp = newIP;
newiprange.Description = ipv4rule.Description;
newPermission.Ipv4Ranges.Add(newiprange);
var newlistofpermissions = new List <IpPermission>();
newlistofpermissions.Add(newPermission);
//ipv4rule.CidrIp = Dns.GetHostEntry(extension.Value).AddressList.FirstOrDefault().ToString() + "/32";
ec2.AuthorizeSecurityGroupIngressAsync(new Amazon.EC2.Model.AuthorizeSecurityGroupIngressRequest {
GroupId = securityGroup.GroupId, IpPermissions = newlistofpermissions
}).Wait();
}
}
if (extension.Key == "expiry")
{
var isDate = DateTime.TryParse(extension.Value, out DateTime expiry);
if (!isDate)
{
var chronic = new Chronic.Parser();
expiry = chronic.Parse(extension.Value, new Chronic.Options {
EndianPrecedence = Chronic.EndianPrecedence.Little
}).ToTime();
ipv4rule.Description = ipv4rule.Description.Replace(g.Value, $"[expiry={expiry.ToString("yyyy-MM-dd HH:mm")}]");
IpPermission newPermission = new IpPermission
{
FromPort = rule.FromPort,
IpProtocol = rule.IpProtocol,
ToPort = rule.ToPort
};
var newiprange = new IpRange();
newiprange.Description = ipv4rule.Description;
newiprange.CidrIp = ipv4rule.CidrIp;
newPermission.Ipv4Ranges.Add(newiprange);
var newlistofpermissions = new List <IpPermission>();
newlistofpermissions.Add(newPermission);
ec2.UpdateSecurityGroupRuleDescriptionsIngressAsync(new Amazon.EC2.Model.UpdateSecurityGroupRuleDescriptionsIngressRequest {
GroupId = securityGroup.GroupId, IpPermissions = newlistofpermissions
}).Wait();
//ec2.RevokeSecurityGroupIngressAsync(new Amazon.EC2.Model.RevokeSecurityGroupIngressRequest { GroupId = securityGroup.GroupId, IpPermissions = listofpermissions }).Wait();
}
else
{
if (expiry < DateTime.Now)
{
IpPermission permission = new IpPermission
{
FromPort = rule.FromPort,
IpProtocol = rule.IpProtocol,
ToPort = rule.ToPort
};
permission.Ipv4Ranges.Add(ipv4rule);
var listofpermissions = new List <IpPermission>();
listofpermissions.Add(permission);
ec2.RevokeSecurityGroupIngressAsync(new Amazon.EC2.Model.RevokeSecurityGroupIngressRequest {
GroupId = securityGroup.GroupId, IpPermissions = listofpermissions
}).Wait();
//newDict.Where(x => x == rule).Where(y => y.Ipv4Ranges == rule.Ipv4Ranges).First().Ipv4Ranges.Add()
}
}
}
}
}
}
}
}
}
static string IpPermissionToString(IpPermission ipPermission)
{
return(String.Format("IpPermission={{Protocol={0}, FromPort={1}, ToPort={2}, IpRanges=[{3}]}}",
ipPermission.IpProtocol, ipPermission.FromPort, ipPermission.ToPort, String.Join(",", ipPermission.IpRanges)));
}
