Attach a Security Group to an Instance using the CloudGuard Dome9 API
This article will demonstrate how to use the Dome9 REST API to attach a Security Group to an instance in your AWS cloud account.
The account must be onboarded to Dome9, and in full-protection mode.
Prerequisites
The procedure requires several steps, using the CloudSecurityGroup and CloudInstance resources.
Get a list of Instances
Request
GET https://api.dome9.com/v2/cloudinstance
Response
Click to expand
[
{
"externalId":"i-004737a77a3fc9375",
"name":"Web3",
"region":"us_east_1",
"vpc":"vpc-a95690d3",
"cloudAccountId":"a*******-****-****-****-***********a",
"isRunning":true,
"instanceType":"t2.micro",
"publicDnsName":"",
"nics":[
{
"publicIpAddress":"",
"privateIpAddress":"10.0.2.49",
"securityGroupIds":[
"sg-013bb64b"
],
"privateDnsName":"10.0.2.49",
"name":"eth0",
"externalId":"eni-f39959a7",
"subnetId":"subnet-22b00d0c"
}
],
"tags":{
"Name":"Web3"
},
"accountId":301,
"image":"ami-685a5a17",
"kernelId":null,
"launchTime":"2018-07-22T14:08:19Z",
"platform":"linux",
"profileArn":null,
"roleArns":null
},
{
"externalId":"i-00afecc34d7436f6c",
"name":"Windows 2012 SQL 2012",
"region":"us_east_1",
"vpc":"vpc-78ec401f",
"cloudAccountId":"5*******-****-****-****-***********b",
"isRunning":false,
"instanceType":"t2.micro",
"publicDnsName":"",
"nics":[
{
"publicIpAddress":"",
"privateIpAddress":"172.30.3.83",
"securityGroupIds":[
"sg-948237e1"
],
"privateDnsName":"172.30.3.83",
"name":"eth0",
"externalId":"eni-b97fa501",
"subnetId":"subnet-901e29ad"
}
],
"tags":{
"Name":"Windows 2012 SQL 2012",
"Type":"SQLServer2012"
},
"accountId":301,
"image":"ami-0808ed72",
"kernelId":null,
"launchTime":"2017-11-24T07:30:23Z",
"platform":"linux",
"profileArn":null,
"roleArns":null
}
]
The externalId of the instance can be obtained from the response. In this example, we will use the second instance in the response.
Get a list of Security Groups
From this list, you can obtain the Security Group id.
Request
GET //api.dome9.com/v2/cloudsecuritygroup
Response
click to expand
[
{
"securityGroupId":166637,
"externalId":"sg-6d64cb00",
"isProtected":true,
"securityGroupName":"Bastion",
"description":"a security group intended for bastion servers",
"vpcId":"",
"vpcName":null,
"regionId":"us_east_1",
"cloudAccountId":"5*******-****-****-****-***********b",
"cloudAccountName":"AWS Prod",
"services":{
"inbound":[
{
"id":"1--1",
"name":"All ICMP",
"description":null,
"protocolType":"ICMP",
"port":"256",
"openForAll":false,
"scope":[
{
"type":"CIDR",
"data":{
"cidr":"1.2.3.4/32",
"note":null
}
},
{
"type":"CIDR",
"data":{
"cidr":"2.3.4.5/32",
"note":null
}
}
],
"inbound":true,
"icmpType":"All",
"icmpv6Type":null
}
],
"outbound":[
]
},
"tags":{
"alert":"true"
}
},
{
"securityGroupId":2834333,
"externalId":"sg-cf4873a6",
"isProtected":true,
"securityGroupName":"mySG",
"description":"bad",
"vpcId":"vpc-10f70c79",
"vpcName":null,
"regionId":"eu_west_3",
"cloudAccountId":"a*******-****-****-****-***********a",
"cloudAccountName":"AWS Stage",
"services":{
"inbound":[
],
"outbound":[
]
},
"tags":{
}
},
{
"securityGroupId":2370507,
"externalId":"sg-c84595a1",
"isProtected":false,
"securityGroupName":"default",
"description":"default VPC security group",
"vpcId":"vpc-10f70c79",
"vpcName":null,
"regionId":"eu_west_3",
"cloudAccountId":"a*******-****-****-****-***********a",
"cloudAccountName":"AWS Stage",
"services":{
"inbound":[
],
"outbound":[
]
},
"tags":{
}
}
]
From the response, the securityGroupId can be obtained.
Attach the Security Group to the instance
Use the externalId of the instance and the securityGroupId, obtained above.
Request
POST //api.dome9.com/v2/cloudinstance/i-00afecc34d7436f6c/sec-groups
Body
{
"groupid":166637,
"nicname":"eth0"
}
The Security Group id is included in the request URL. The nicname parameter indicates the network device on which to add the Security Group.
Response
200 OK
