Use ALIYUN::CLOUDFW::VpcFirewallControlPolicy to add an access control policy to a policy group of a VPC firewall - Resource Orchestration Service

ALIYUN::CLOUDFW::VpcFirewallControlPolicy is used to add an access control policy to a policy group of a virtual private cloud (VPC) firewall.

Syntax

{
  "Type": "ALIYUN::CLOUDFW::VpcFirewallControlPolicy",
  "Properties": {
    "Destination": String,
    "ApplicationName": String,
    "Description": String,
    "SourceType": String,
    "DestPort": String,
    "AclAction": String,
    "Lang": String,
    "DestinationType": String,
    "VpcFirewallId": String,
    "Source": String,
    "DestPortType": String,
    "Proto": String,
    "RegionId": String,
    "NewOrder": String,
    "DestPortGroup": String,
    "Release": Boolean,
    "RepeatType": String,
    "StartTime": Integer,
    "RepeatEndTime": String,
    "RepeatDays": List,
    "EndTime": Integer,
    "RepeatStartTime": String,
    "ApplicationNameList": List,
    "MemberUid": String
  }
}

Properties

Property	Type	Required	Editable	Description	Constraint
AclAction	String	Yes	Yes	The action that Cloud Firewall performs on the traffic.	Valid values: accept: allows the traffic. drop: denies the traffic. log: monitors the traffic.
ApplicationName	String	No	Yes	The application types that the access control policy supports.	Valid values: FTP HTTP HTTPS MySQL SMTP SMTPS RDP VNC SSH Redis MQTT MongoDB Memcache SSL ANY (A value of ANY specifies all application types.)
Description	String	Yes	Yes	The description of the access control policy.	None.
Destination	String	Yes	Yes	The destination address in the access control policy.	Valid values: If you set DestinationType to net, the value of Destination is a destination CIDR block. Example: 10.2.3.0/24. If you set DestinationType to group, the value of Destination is a destination address book name. Example: db_group. If you set DestinationType to domain, the value of Destination is a destination domain name. Example: *.aliyuncs.com.
DestinationType	String	Yes	Yes	The type of the destination address in the access control policy.	Valid values: net: destination CIDR block group: destination address book domain: destination domain name
NewOrder	String	Yes	No	The priority of the access control policy.	The number in the priority value starts from 1. A smaller positive value among all positive values indicates a higher priority. A value of 1 indicates the highest priority. Note A value of -1 indicates the lowest priority.
Proto	String	Yes	No	The protocol types in the access control policy.	Valid values: ANY (You can use this value if you are not sure about the protocol types.) TCP UDP ICMP
Source	String	Yes	Yes	The source address in the access control policy.	Valid values: If you set SourceType to net, the value of Source is a source CIDR block. Example: 10.2.3.0/24. If you set SourceType to group, the value of Source is a source address book name. Example: db_group.
SourceType	String	Yes	Yes	The type of the source address in the access control policy.	Valid values: net: source CIDR block group: source address book
VpcFirewallId	String	Yes	No	The ID of the policy group to which you want to add the access control policy.	Valid values: If you want to use the VPC firewall to protect Cloud Enterprise Network (CEN), the value of VpcFirewallId is the ID of a CEN instance. Example: cen-ervw5jbw1234***. If you want to use the VPC firewall to protect Express Connect, the value of VpcFirewallId is the ID of the VPC firewall. Example: vfw-a42bbb748c91234***. You can call the DescribeVpcFirewallAclGroupList operation to query the policy group ID of the VPC firewall.
DestPort	String	No	Yes	The destination port in the access control policy.	You must specify this property when DestPortType is set to port.
DestPortGroup	String	No	Yes	The name of the destination port address book in the access control policy.	You must specify this property when DestPortType is set to group.
DestPortType	String	No	Yes	The type of the destination port in the access control policy.	Valid values: port: port group: port address book
Lang	String	No	Yes	The language of the content within the request and response.	Valid values: zh: Chinese en: English
RegionId	String	No	No	The region ID.	Valid values: cn-hangzhou (default): the ID of the China (Hangzhou) region ap-southeast-1: the ID of the Singapore region
Release	Boolean	No	No	Specifies whether to enable the access control policy.	By default, an access control policy is enabled after it is created. Valid values: true false
RepeatType	String	No	No	The recurrence type of the access control policy.	Valid values: Permanent (default): The policy always takes effect. None: The policy takes effect only once. Daily: The policy takes effect on a daily basis. Weekly: The policy takes effect on a weekly basis. Monthly: The policy takes effect on a monthly basis.
StartTime	Integer	No	No	The point in time when the validity period of the access control policy starts.	The value is a timestamp in seconds. The value must be on the hour or on the half hour, and at least 30 minutes earlier than the end time. Note If RepeatType is set to Permanent, the value of StartTime is empty. If RepeatType is set to None, Daily, Weekly, or Monthly, StartTime must be configured.
RepeatEndTime	String	No	No	The point in time when the recurrence of the access control policy ends.	Example: 23:30. The value must be on the hour or on the half hour, and at least 30 minutes later than the start time. Note If RepeatType is set to Permanent or None, the value of RepeatEndTime is empty. If RepeatType is set to Daily, Weekly, or Monthly, RepeatEndTime must be configured.
RepeatDays	List	No	Yes	The days of a week or of a month on which the access control policy takes effect.	If RepeatType is set to `Permanent`, `None`, or `Daily`, the value of RepeatDays is an empty list. Example: []. If RepeatType is set to Weekly, RepeatDays must be configured. Example: [0, 6]. Note The values specified for RepeatDays cannot be repeated if RepeatType is set to Weekly. If RepeatType is set to `Monthly`, RepeatDays must be configured. Example: [1, 31]. Note The values specified for RepeatDays cannot be repeated if RepeatType is set to Monthly.
EndTime	Integer	No	No	The point in time when the validity period of the access control policy ends.	The value is a timestamp in seconds. The value must be on the hour or on the half hour, and at least 30 minutes later than the start time. Note If RepeatType is set to Permanent, the value of EndTime is empty. If RepeatType is set to None, Daily, Weekly, or Monthly, EndTime must be configured.
RepeatStartTime	String	No	No	The point in time when the recurrence of the access control policy starts.	Example: 08:00. The value must be on the hour or on the half hour, and at least 30 minutes earlier than the end time. Note If RepeatType is set to Permanent or None, the value of RepeatStartTime is empty. If RepeatType is set to Daily, Weekly, or Monthly, RepeatStartTime must be configured.
ApplicationNameList	List	No	No	The application name.	None.
MemberUid	String	No	No	The UID of the member in Cloud Firewall.	None.

Return values

Fn::GetAtt

AclUuid: the unique ID of the access control policy.

Examples

`YAML` format

ROSTemplateFormatVersion: '2015-09-01'
Parameters:
  AclAction:
    AllowedValues:
    - accept
    - drop
    - log
    Description: 'The action that Cloud Firewall performs on the traffic. Valid values:

      accept: allows the traffic.

      drop: denies the traffic.

      log: monitors the traffic.'
    Type: String
  ApplicationName:
    AllowedValues:
    - ANY
    - FTP
    - HTTP
    - HTTPS
    - MySQL
    - SMTP
    - SMTPS
    - RDP
    - VNC
    - SSH
    - Redis
    - MQTT
    - MongoDB
    - Memcache
    - SSL
    Description: "The application type that the access control policy supports.\n\
      Valid values: \nANY (indicates that all application types are supported) \n\
      FTP \nHTTP \nHTTPS \nMySQL \nSMTP \nSMTPS \nRDP \nVNC \nSSH \nRedis \nMQTT \n\
      MongoDB \nMemcache \nSSL"
    Type: String
  Description:
    Description: The description of the access control policy.
    Type: String
  DestPort:
    Description: 'The destination port in the access control policy.

      Note This parameter must be specified if the DestPortType parameter is set to
      port.'
    Type: String
  DestPortGroup:
    Description: 'The address book of destination ports in the access control policy.

      Note This parameter must be specified if the DestPortType parameter is set to
      group.'
    Type: String
  DestPortType:
    AllowedValues:
    - group
    - port
    Description: 'The type of the destination port in the access control policy. Valid
      values:

      port: port

      group: address book'
    Type: String
  Destination:
    Description: 'The destination address in the access control policy.

      Set this parameter in the following way:

      If the DestinationType parameter is set to net, set the value to a Classless
      Inter-Domain Routing (CIDR) block.

      Example: 10.2.3.0/24.

      If the DestinationType parameter is set to group, set the value to the name
      of an address book.

      Example: db_group.

      If the DestinationType parameter is set to domain, set the value to a domain
      name.

      Example: *.aliyuncs.com.'
    Type: String
  DestinationType:
    AllowedValues:
    - domain
    - group
    - net
    Description: 'The type of the destination address in the access control policy.
      Valid values:

      net: CIDR block

      group: address book

      domain: domain name'
    Type: String
  Lang:
    AllowedValues:
    - en
    - zh
    Description: 'The natural language of the request and response. Valid values:

      zh: Chinese

      en: English'
    Type: String
  NewOrder:
    Description: 'The priority of the access control policy.

      The priority value starts from 1. A smaller priority value indicates a higher
      priority.

      Note The value of -1 indicates the lowest priority.'
    Type: String
  Proto:
    AllowedValues:
    - ANY
    - TCP
    - UDP
    - ICMP
    Description: The type of the security protocol in the access control policy.
    Type: String
  RegionId:
    AllowedValues:
    - cn-hangzhou
    - ap-southeast-1
    Default: cn-hangzhou
    Description: Region ID. Default to cn-hangzhou.
    Type: String
  Source:
    Description: 'The source address in the access control policy.

      If the SourceType parameter is set to net, set the value to a CIDR block. Example:
      10.2.3.0/24.

      If the SourceType parameter is set to group, set the value to the name of an
      address book. Example: db_group.'
    Type: String
  SourceType:
    AllowedValues:
    - group
    - net
    Description: 'The type of the source address in the access control policy. Valid
      values:

      net: CIDR block

      group: address book'
    Type: String
  VpcFirewallId:
    Description: 'The ID of the policy group to which you want to add the access control
      policy.

      If the VPC firewall is used to protect CEN, set the value to the ID of the CEN
      instance

      that the VPC firewall protects. Example: cen-ervw5jbw1234*****.

      If the VPC firewall is used to protect Express Connect, set the value to the
      ID of

      the VPC firewall instance. Example: vfw-a42bbb748c91234*****.

      Note You can call the DescribeVpcFirewallAclGroupList operation to query the
      ID of the policy group.'
    Type: String
Resources:
  VpcFirewallControlPolicy:
    Properties:
      AclAction:
        Ref: AclAction
      ApplicationName:
        Ref: ApplicationName
      Description:
        Ref: Description
      DestPort:
        Ref: DestPort
      DestPortGroup:
        Ref: DestPortGroup
      DestPortType:
        Ref: DestPortType
      Destination:
        Ref: Destination
      DestinationType:
        Ref: DestinationType
      Lang:
        Ref: Lang
      NewOrder:
        Ref: NewOrder
      Proto:
        Ref: Proto
      RegionId:
        Ref: RegionId
      Source:
        Ref: Source
      SourceType:
        Ref: SourceType
      VpcFirewallId:
        Ref: VpcFirewallId
    Type: ALIYUN::CLOUDFW::VpcFirewallControlPolicy
Outputs:
  AclUuid:
    Description: The unique ID of the access control policy.
    Value:
      Fn::GetAtt:
      - VpcFirewallControlPolicy
      - AclUuid

`JSON` format

{
  "ROSTemplateFormatVersion": "2015-09-01",
  "Parameters": {
    "Destination": {
      "Type": "String",
      "Description": "The destination address in the access control policy.\nSet this parameter in the following way:\nIf the DestinationType parameter is set to net, set the value to a Classless Inter-Domain Routing (CIDR) block.\nExample: 10.2.3.0/24.\nIf the DestinationType parameter is set to group, set the value to the name of an address book.\nExample: db_group.\nIf the DestinationType parameter is set to domain, set the value to a domain name.\nExample: *.aliyuncs.com."
    },
    "ApplicationName": {
      "Type": "String",
      "Description": "The application type that the access control policy supports.\nValid values: \nANY (indicates that all application types are supported) \nFTP \nHTTP \nHTTPS \nMySQL \nSMTP \nSMTPS \nRDP \nVNC \nSSH \nRedis \nMQTT \nMongoDB \nMemcache \nSSL",
      "AllowedValues": [
        "ANY",
        "FTP",
        "HTTP",
        "HTTPS",
        "MySQL",
        "SMTP",
        "SMTPS",
        "RDP",
        "VNC",
        "SSH",
        "Redis",
        "MQTT",
        "MongoDB",
        "Memcache",
        "SSL"
      ]
    },
    "Description": {
      "Type": "String",
      "Description": "The description of the access control policy."
    },
    "SourceType": {
      "Type": "String",
      "Description": "The type of the source address in the access control policy. Valid values:\nnet: CIDR block\ngroup: address book",
      "AllowedValues": [
        "group",
        "net"
      ]
    },
    "DestPort": {
      "Type": "String",
      "Description": "The destination port in the access control policy.\nNote This parameter must be specified if the DestPortType parameter is set to port."
    },
    "AclAction": {
      "Type": "String",
      "Description": "The action that Cloud Firewall performs on the traffic. Valid values:\naccept: allows the traffic.\ndrop: denies the traffic.\nlog: monitors the traffic.",
      "AllowedValues": [
        "accept",
        "drop",
        "log"
      ]
    },
    "Lang": {
      "Type": "String",
      "Description": "The natural language of the request and response. Valid values:\nzh: Chinese\nen: English",
      "AllowedValues": [
        "en",
        "zh"
      ]
    },
    "DestinationType": {
      "Type": "String",
      "Description": "The type of the destination address in the access control policy. Valid values:\nnet: CIDR block\ngroup: address book\ndomain: domain name",
      "AllowedValues": [
        "domain",
        "group",
        "net"
      ]
    },
    "VpcFirewallId": {
      "Type": "String",
      "Description": "The ID of the policy group to which you want to add the access control policy.\nIf the VPC firewall is used to protect CEN, set the value to the ID of the CEN instance\nthat the VPC firewall protects. Example: cen-ervw5jbw1234*****.\nIf the VPC firewall is used to protect Express Connect, set the value to the ID of\nthe VPC firewall instance. Example: vfw-a42bbb748c91234*****.\nNote You can call the DescribeVpcFirewallAclGroupList operation to query the ID of the policy group."
    },
    "Source": {
      "Type": "String",
      "Description": "The source address in the access control policy.\nIf the SourceType parameter is set to net, set the value to a CIDR block. Example: 10.2.3.0/24.\nIf the SourceType parameter is set to group, set the value to the name of an address book. Example: db_group."
    },
    "DestPortType": {
      "Type": "String",
      "Description": "The type of the destination port in the access control policy. Valid values:\nport: port\ngroup: address book",
      "AllowedValues": [
        "group",
        "port"
      ]
    },
    "Proto": {
      "Type": "String",
      "Description": "The type of the security protocol in the access control policy.",
      "AllowedValues": [
        "ANY",
        "TCP",
        "UDP",
        "ICMP"
      ]
    },
    "RegionId": {
      "Type": "String",
      "Description": "Region ID. Default to cn-hangzhou.",
      "AllowedValues": [
        "cn-hangzhou",
        "ap-southeast-1"
      ],
      "Default": "cn-hangzhou"
    },
    "NewOrder": {
      "Type": "String",
      "Description": "The priority of the access control policy.\nThe priority value starts from 1. A smaller priority value indicates a higher priority.\nNote The value of -1 indicates the lowest priority."
    },
    "DestPortGroup": {
      "Type": "String",
      "Description": "The address book of destination ports in the access control policy.\nNote This parameter must be specified if the DestPortType parameter is set to group."
    }
  },
  "Resources": {
    "VpcFirewallControlPolicy": {
      "Type": "ALIYUN::CLOUDFW::VpcFirewallControlPolicy",
      "Properties": {
        "Destination": {
          "Ref": "Destination"
        },
        "ApplicationName": {
          "Ref": "ApplicationName"
        },
        "Description": {
          "Ref": "Description"
        },
        "SourceType": {
          "Ref": "SourceType"
        },
        "DestPort": {
          "Ref": "DestPort"
        },
        "AclAction": {
          "Ref": "AclAction"
        },
        "Lang": {
          "Ref": "Lang"
        },
        "DestinationType": {
          "Ref": "DestinationType"
        },
        "VpcFirewallId": {
          "Ref": "VpcFirewallId"
        },
        "Source": {
          "Ref": "Source"
        },
        "DestPortType": {
          "Ref": "DestPortType"
        },
        "Proto": {
          "Ref": "Proto"
        },
        "RegionId": {
          "Ref": "RegionId"
        },
        "NewOrder": {
          "Ref": "NewOrder"
        },
        "DestPortGroup": {
          "Ref": "DestPortGroup"
        }
      }
    }
  },
  "Outputs": {
    "AclUuid": {
      "Description": "The unique ID of the access control policy.",
      "Value": {
        "Fn::GetAtt": [
          "VpcFirewallControlPolicy",
          "AclUuid"
        ]
      }
    }
  }
}