Support Center > Search Results > SecureKnowledge Details
Attach a Security Group to an Instance using the CloudGuard Dome9 API
Solution

This article will demonstrate how to use the Dome9 REST API to attach a Security Group to an instance in your AWS cloud account.

The account must be onboarded to Dome9, and in full-protection mode.

Prerequisites

The procedure requires several steps, using the CloudSecurityGroup and CloudInstance resources.

Get a list of Instances

Request

GET https://api.dome9.com/v2/cloudinstance

Response

 

 

Click to expand

[
{
"externalId":"i-004737a77a3fc9375",
"name":"Web3",
"region":"us_east_1",
"vpc":"vpc-a95690d3",
"cloudAccountId":"a*******-****-****-****-***********a",
"isRunning":true,
"instanceType":"t2.micro",
"publicDnsName":"",
"nics":[
{
"publicIpAddress":"",
"privateIpAddress":"10.0.2.49",
"securityGroupIds":[
"sg-013bb64b"
],
"privateDnsName":"10.0.2.49",
"name":"eth0",
"externalId":"eni-f39959a7",
"subnetId":"subnet-22b00d0c"
}
],
"tags":{
"Name":"Web3"
},
"accountId":301,
"image":"ami-685a5a17",
"kernelId":null,
"launchTime":"2018-07-22T14:08:19Z",
"platform":"linux",
"profileArn":null,
"roleArns":null
},
{
"externalId":"i-00afecc34d7436f6c",
"name":"Windows 2012 SQL 2012",
"region":"us_east_1",
"vpc":"vpc-78ec401f",
"cloudAccountId":"5*******-****-****-****-***********b",
"isRunning":false,
"instanceType":"t2.micro",
"publicDnsName":"",
"nics":[
{
"publicIpAddress":"",
"privateIpAddress":"172.30.3.83",
"securityGroupIds":[
"sg-948237e1"
],
"privateDnsName":"172.30.3.83",
"name":"eth0",
"externalId":"eni-b97fa501",
"subnetId":"subnet-901e29ad"
}
],
"tags":{
"Name":"Windows 2012 SQL 2012",
"Type":"SQLServer2012"
},
"accountId":301,
"image":"ami-0808ed72",
"kernelId":null,
"launchTime":"2017-11-24T07:30:23Z",
"platform":"linux",
"profileArn":null,
"roleArns":null
}
]

 

 

 

The externalId of the instance can be obtained from the response. In this example, we will use the second instance in the response.

Get a list of Security Groups

From this list, you can obtain the Security Group id.

Request

GET //api.dome9.com/v2/cloudsecuritygroup

Response

 

 

click to expand

[
{
"securityGroupId":166637,
"externalId":"sg-6d64cb00",
"isProtected":true,
"securityGroupName":"Bastion",
"description":"a security group intended for bastion servers",
"vpcId":"",
"vpcName":null,
"regionId":"us_east_1",
"cloudAccountId":"5*******-****-****-****-***********b",
"cloudAccountName":"AWS Prod",
"services":{
"inbound":[
{
"id":"1--1",
"name":"All ICMP",
"description":null,
"protocolType":"ICMP",
"port":"256",
"openForAll":false,
"scope":[
{
"type":"CIDR",
"data":{
"cidr":"1.2.3.4/32",
"note":null
}
},
{
"type":"CIDR",
"data":{
"cidr":"2.3.4.5/32",
"note":null
}
}
],
"inbound":true,
"icmpType":"All",
"icmpv6Type":null
}
],
"outbound":[
]
},
"tags":{
"alert":"true"
}
},
{
"securityGroupId":2834333,
"externalId":"sg-cf4873a6",
"isProtected":true,
"securityGroupName":"mySG",
"description":"bad",
"vpcId":"vpc-10f70c79",
"vpcName":null,
"regionId":"eu_west_3",
"cloudAccountId":"a*******-****-****-****-***********a",
"cloudAccountName":"AWS Stage",
"services":{
"inbound":[
],
"outbound":[
]
},
"tags":{
}
},
{
"securityGroupId":2370507,
"externalId":"sg-c84595a1",
"isProtected":false,
"securityGroupName":"default",
"description":"default VPC security group",
"vpcId":"vpc-10f70c79",
"vpcName":null,
"regionId":"eu_west_3",
"cloudAccountId":"a*******-****-****-****-***********a",
"cloudAccountName":"AWS Stage",
"services":{
"inbound":[
],
"outbound":[
]
},
"tags":{
}
}
]

 

 

From the response, the securityGroupId can be obtained.

Attach the Security Group to the instance

Use the externalId of the instance and the securityGroupId, obtained above.

Request

POST //api.dome9.com/v2/cloudinstance/i-00afecc34d7436f6c/sec-groups

Body

{
"groupid":166637,
"nicname":"eth0"
}

The Security Group id is included in the request URL. The nicname parameter indicates the network device on which to add the Security Group.

Response

200 OK

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment