Attach a Security Group to an Instance using the Dome9 API

In this topic:

    This article will demonstrate how to use the Dome9 REST API to attach a Security Group to an instance in your AWS cloud account.

    The account must be onboarded to Dome9, and in full-protection mode.

    Prerequisites 

    The procedure requires several steps, using the CloudSecurityGroup and CloudInstance resources.

    Get a list of Instances

    Request

    GET  https://api.dome9.com/v2/cloudinstance

    Response 

     

    Click to expand

    [  
       {  
          "externalId":"i-004737a77a3fc9375",
          "name":"Web3",
          "region":"us_east_1",
          "vpc":"vpc-a95690d3",
          "cloudAccountId":"a*******-****-****-****-***********a",
          "isRunning":true,
          "instanceType":"t2.micro",
          "publicDnsName":"",
          "nics":[  
             {  
                "publicIpAddress":"",
                "privateIpAddress":"10.0.2.49",
                "securityGroupIds":[  
                   "sg-013bb64b"
                ],
                "privateDnsName":"10.0.2.49",
                "name":"eth0",
                "externalId":"eni-f39959a7",
                "subnetId":"subnet-22b00d0c"
             }
          ],
          "tags":{  
             "Name":"Web3"
          },
          "accountId":301,
          "image":"ami-685a5a17",
          "kernelId":null,
          "launchTime":"2018-07-22T14:08:19Z",
          "platform":"linux",
          "profileArn":null,
          "roleArns":null
       },
       {  
          "externalId":"i-00afecc34d7436f6c",
          "name":"Windows 2012 SQL 2012",
          "region":"us_east_1",
          "vpc":"vpc-78ec401f",
          "cloudAccountId":"5*******-****-****-****-***********b",
          "isRunning":false,
          "instanceType":"t2.micro",
          "publicDnsName":"",
          "nics":[  
             {  
                "publicIpAddress":"",
                "privateIpAddress":"172.30.3.83",
                "securityGroupIds":[  
                   "sg-948237e1"
                ],
                "privateDnsName":"172.30.3.83",
                "name":"eth0",
                "externalId":"eni-b97fa501",
                "subnetId":"subnet-901e29ad"
             }
          ],
          "tags":{  
             "Name":"Windows 2012 SQL 2012",
             "Type":"SQLServer2012"
          },
          "accountId":301,
          "image":"ami-0808ed72",
          "kernelId":null,
          "launchTime":"2017-11-24T07:30:23Z",
          "platform":"linux",
          "profileArn":null,
          "roleArns":null
       }
    ]

     

     

    The externalId of the instance can be obtained from the response. In this example, we will use the second instance in the response.

    Get a list of Security Groups

    From this list, you can obtain the Security Group id.

    Request

    GET //api.dome9.com/v2/cloudsecuritygroup

    Response  

     

    click to expand

    [  
       {  
          "securityGroupId":166637,
          "externalId":"sg-6d64cb00",
          "isProtected":true,
          "securityGroupName":"Bastion",
          "description":"a security group intended for bastion servers",
          "vpcId":"",
          "vpcName":null,
          "regionId":"us_east_1",
          "cloudAccountId":"5*******-****-****-****-***********b",
          "cloudAccountName":"AWS Prod",
          "services":{  
             "inbound":[  
                {  
                   "id":"1--1",
                   "name":"All ICMP",
                   "description":null,
                   "protocolType":"ICMP",
                   "port":"256",
                   "openForAll":false,
                   "scope":[  
                      {  
                         "type":"CIDR",
                         "data":{  
                            "cidr":"1.2.3.4/32",
                            "note":null
                         }
                      },
                      {  
                         "type":"CIDR",
                         "data":{  
                            "cidr":"2.3.4.5/32",
                            "note":null
                         }
                      }
                   ],
                   "inbound":true,
                   "icmpType":"All",
                   "icmpv6Type":null
                }
             ],
             "outbound":[  
             ]
          },
          "tags":{  
             "alert":"true"
          }
       },
       {  
          "securityGroupId":2834333,
          "externalId":"sg-cf4873a6",
          "isProtected":true,
          "securityGroupName":"mySG",
          "description":"bad",
          "vpcId":"vpc-10f70c79",
          "vpcName":null,
          "regionId":"eu_west_3",
          "cloudAccountId":"a*******-****-****-****-***********a",
          "cloudAccountName":"AWS Stage",
          "services":{  
             "inbound":[  
             ],
             "outbound":[  
             ]
          },
          "tags":{  
          }
       },
       {  
          "securityGroupId":2370507,
          "externalId":"sg-c84595a1",
          "isProtected":false,
          "securityGroupName":"default",
          "description":"default VPC security group",
          "vpcId":"vpc-10f70c79",
          "vpcName":null,
          "regionId":"eu_west_3",
          "cloudAccountId":"a*******-****-****-****-***********a",
          "cloudAccountName":"AWS Stage",
          "services":{  
             "inbound":[  
             ],
             "outbound":[  
             ]
          },
          "tags":{  
          }
       }
    ]

     

    From the response, the securityGroupId can be obtained.

    Attach the Security Group to the instance

    Use the externalId of the instance and the securityGroupId, obtained above.

    Request

    POST //api.dome9.com/v2/cloudinstance/i-00afecc34d7436f6c/sec-groups

    Body

    {  
       "groupid":166637,
       "nicname":"eth0"
    }

    The Security Group id is included in the request URL. The nicname parameter indicates the network device on which to add the Security Group.

    Response

    200 OK