All Products
Search
Document Center

Resource Orchestration Service:ALIYUN::CLOUDFW::VpcFirewallControlPolicy

Last Updated:Dec 06, 2024

ALIYUN::CLOUDFW::VpcFirewallControlPolicy is used to add an access control policy to a policy group of a virtual private cloud (VPC) firewall.

Syntax

{
  "Type": "ALIYUN::CLOUDFW::VpcFirewallControlPolicy",
  "Properties": {
    "Destination": String,
    "ApplicationName": String,
    "Description": String,
    "SourceType": String,
    "DestPort": String,
    "AclAction": String,
    "Lang": String,
    "DestinationType": String,
    "VpcFirewallId": String,
    "Source": String,
    "DestPortType": String,
    "Proto": String,
    "RegionId": String,
    "NewOrder": String,
    "DestPortGroup": String,
    "Release": Boolean,
    "RepeatType": String,
    "StartTime": Integer,
    "RepeatEndTime": String,
    "RepeatDays": List,
    "EndTime": Integer,
    "RepeatStartTime": String,
    "ApplicationNameList": List,
    "MemberUid": String
  }
}

Properties

Property

Type

Required

Editable

Description

Constraint

AclAction

String

Yes

Yes

The action that Cloud Firewall performs on the traffic.

Valid values:

  • accept: allows the traffic.

  • drop: denies the traffic.

  • log: monitors the traffic.

ApplicationName

String

No

Yes

The application types that the access control policy supports.

Valid values:

  • FTP

  • HTTP

  • HTTPS

  • MySQL

  • SMTP

  • SMTPS

  • RDP

  • VNC

  • SSH

  • Redis

  • MQTT

  • MongoDB

  • Memcache

  • SSL

  • ANY (A value of ANY specifies all application types.)

Description

String

Yes

Yes

The description of the access control policy.

None.

Destination

String

Yes

Yes

The destination address in the access control policy.

Valid values:

  • If you set DestinationType to net, the value of Destination is a destination CIDR block. Example: 10.2.3.0/24.

  • If you set DestinationType to group, the value of Destination is a destination address book name. Example: db_group.

  • If you set DestinationType to domain, the value of Destination is a destination domain name. Example: *.aliyuncs.com.

DestinationType

String

Yes

Yes

The type of the destination address in the access control policy.

Valid values:

  • net: destination CIDR block

  • group: destination address book

  • domain: destination domain name

NewOrder

String

Yes

No

The priority of the access control policy.

The number in the priority value starts from 1. A smaller positive value among all positive values indicates a higher priority. A value of 1 indicates the highest priority.

Note

A value of -1 indicates the lowest priority.

Proto

String

Yes

No

The protocol types in the access control policy.

Valid values:

  • ANY (You can use this value if you are not sure about the protocol types.)

  • TCP

  • UDP

  • ICMP

Source

String

Yes

Yes

The source address in the access control policy.

Valid values:

  • If you set SourceType to net, the value of Source is a source CIDR block. Example: 10.2.3.0/24.

  • If you set SourceType to group, the value of Source is a source address book name. Example: db_group.

SourceType

String

Yes

Yes

The type of the source address in the access control policy.

Valid values:

  • net: source CIDR block

  • group: source address book

VpcFirewallId

String

Yes

No

The ID of the policy group to which you want to add the access control policy.

Valid values:

  • If you want to use the VPC firewall to protect Cloud Enterprise Network (CEN), the value of VpcFirewallId is the ID of a CEN instance. Example: cen-ervw5jbw1234*****.

  • If you want to use the VPC firewall to protect Express Connect, the value of VpcFirewallId is the ID of the VPC firewall. Example: vfw-a42bbb748c91234*****.

You can call the DescribeVpcFirewallAclGroupList operation to query the policy group ID of the VPC firewall.

DestPort

String

No

Yes

The destination port in the access control policy.

You must specify this property when DestPortType is set to port.

DestPortGroup

String

No

Yes

The name of the destination port address book in the access control policy.

You must specify this property when DestPortType is set to group.

DestPortType

String

No

Yes

The type of the destination port in the access control policy.

Valid values:

  • port: port

  • group: port address book

Lang

String

No

Yes

The language of the content within the request and response.

Valid values:

  • zh: Chinese

  • en: English

RegionId

String

No

No

The region ID.

Valid values:

  • cn-hangzhou (default): the ID of the China (Hangzhou) region

  • ap-southeast-1: the ID of the Singapore region

Release

Boolean

No

No

Specifies whether to enable the access control policy.

By default, an access control policy is enabled after it is created. Valid values:

  • true

  • false

RepeatType

String

No

No

The recurrence type of the access control policy.

Valid values:

  • Permanent (default): The policy always takes effect.

  • None: The policy takes effect only once.

  • Daily: The policy takes effect on a daily basis.

  • Weekly: The policy takes effect on a weekly basis.

  • Monthly: The policy takes effect on a monthly basis.

StartTime

Integer

No

No

The point in time when the validity period of the access control policy starts.

The value is a timestamp in seconds. The value must be on the hour or on the half hour, and at least 30 minutes earlier than the end time.

Note

If RepeatType is set to Permanent, the value of StartTime is empty. If RepeatType is set to None, Daily, Weekly, or Monthly, StartTime must be configured.

RepeatEndTime

String

No

No

The point in time when the recurrence of the access control policy ends.

Example: 23:30. The value must be on the hour or on the half hour, and at least 30 minutes later than the start time.

Note

If RepeatType is set to Permanent or None, the value of RepeatEndTime is empty. If RepeatType is set to Daily, Weekly, or Monthly, RepeatEndTime must be configured.

RepeatDays

List

No

No

The days of a week or of a month on which the access control policy takes effect.

  • If RepeatType is set to Permanent, None, or Daily, the value of RepeatDays is an empty list. Example: [].

  • If RepeatType is set to Weekly, RepeatDays must be configured. Example: [0, 6].

Note

The values specified for RepeatDays cannot be repeated if RepeatType is set to Weekly.

  • If RepeatType is set to Monthly, RepeatDays must be configured. Example: [1, 31].

Note

The values specified for RepeatDays cannot be repeated if RepeatType is set to Monthly.

EndTime

Integer

No

No

The point in time when the validity period of the access control policy ends.

The value is a timestamp in seconds. The value must be on the hour or on the half hour, and at least 30 minutes later than the start time.

Note

If RepeatType is set to Permanent, the value of EndTime is empty. If RepeatType is set to None, Daily, Weekly, or Monthly, EndTime must be configured.

RepeatStartTime

String

No

No

The point in time when the recurrence of the access control policy starts.

Example: 08:00. The value must be on the hour or on the half hour, and at least 30 minutes earlier than the end time.

Note

If RepeatType is set to Permanent or None, the value of RepeatStartTime is empty. If RepeatType is set to Daily, Weekly, or Monthly, RepeatStartTime must be configured.

ApplicationNameList

List

No

No

The application name.

None.

MemberUid

String

No

No

The UID of the member in Cloud Firewall.

None.

Return values

Fn::GetAtt

AclUuid: the unique ID of the access control policy.

Examples

YAML format

ROSTemplateFormatVersion: '2015-09-01'
Parameters:
  AclAction:
    AllowedValues:
    - accept
    - drop
    - log
    Description: 'The action that Cloud Firewall performs on the traffic. Valid values:

      accept: allows the traffic.

      drop: denies the traffic.

      log: monitors the traffic.'
    Type: String
  ApplicationName:
    AllowedValues:
    - ANY
    - FTP
    - HTTP
    - HTTPS
    - MySQL
    - SMTP
    - SMTPS
    - RDP
    - VNC
    - SSH
    - Redis
    - MQTT
    - MongoDB
    - Memcache
    - SSL
    Description: "The application type that the access control policy supports.\n\
      Valid values: \nANY (indicates that all application types are supported) \n\
      FTP \nHTTP \nHTTPS \nMySQL \nSMTP \nSMTPS \nRDP \nVNC \nSSH \nRedis \nMQTT \n\
      MongoDB \nMemcache \nSSL"
    Type: String
  Description:
    Description: The description of the access control policy.
    Type: String
  DestPort:
    Description: 'The destination port in the access control policy.

      Note This parameter must be specified if the DestPortType parameter is set to
      port.'
    Type: String
  DestPortGroup:
    Description: 'The address book of destination ports in the access control policy.

      Note This parameter must be specified if the DestPortType parameter is set to
      group.'
    Type: String
  DestPortType:
    AllowedValues:
    - group
    - port
    Description: 'The type of the destination port in the access control policy. Valid
      values:

      port: port

      group: address book'
    Type: String
  Destination:
    Description: 'The destination address in the access control policy.

      Set this parameter in the following way:

      If the DestinationType parameter is set to net, set the value to a Classless
      Inter-Domain Routing (CIDR) block.

      Example: 10.2.3.0/24.

      If the DestinationType parameter is set to group, set the value to the name
      of an address book.

      Example: db_group.

      If the DestinationType parameter is set to domain, set the value to a domain
      name.

      Example: *.aliyuncs.com.'
    Type: String
  DestinationType:
    AllowedValues:
    - domain
    - group
    - net
    Description: 'The type of the destination address in the access control policy.
      Valid values:

      net: CIDR block

      group: address book

      domain: domain name'
    Type: String
  Lang:
    AllowedValues:
    - en
    - zh
    Description: 'The natural language of the request and response. Valid values:

      zh: Chinese

      en: English'
    Type: String
  NewOrder:
    Description: 'The priority of the access control policy.

      The priority value starts from 1. A smaller priority value indicates a higher
      priority.

      Note The value of -1 indicates the lowest priority.'
    Type: String
  Proto:
    AllowedValues:
    - ANY
    - TCP
    - UDP
    - ICMP
    Description: The type of the security protocol in the access control policy.
    Type: String
  RegionId:
    AllowedValues:
    - cn-hangzhou
    - ap-southeast-1
    Default: cn-hangzhou
    Description: Region ID. Default to cn-hangzhou.
    Type: String
  Source:
    Description: 'The source address in the access control policy.

      If the SourceType parameter is set to net, set the value to a CIDR block. Example:
      10.2.3.0/24.

      If the SourceType parameter is set to group, set the value to the name of an
      address book. Example: db_group.'
    Type: String
  SourceType:
    AllowedValues:
    - group
    - net
    Description: 'The type of the source address in the access control policy. Valid
      values:

      net: CIDR block

      group: address book'
    Type: String
  VpcFirewallId:
    Description: 'The ID of the policy group to which you want to add the access control
      policy.

      If the VPC firewall is used to protect CEN, set the value to the ID of the CEN
      instance

      that the VPC firewall protects. Example: cen-ervw5jbw1234*****.

      If the VPC firewall is used to protect Express Connect, set the value to the
      ID of

      the VPC firewall instance. Example: vfw-a42bbb748c91234*****.

      Note You can call the DescribeVpcFirewallAclGroupList operation to query the
      ID of the policy group.'
    Type: String
Resources:
  VpcFirewallControlPolicy:
    Properties:
      AclAction:
        Ref: AclAction
      ApplicationName:
        Ref: ApplicationName
      Description:
        Ref: Description
      DestPort:
        Ref: DestPort
      DestPortGroup:
        Ref: DestPortGroup
      DestPortType:
        Ref: DestPortType
      Destination:
        Ref: Destination
      DestinationType:
        Ref: DestinationType
      Lang:
        Ref: Lang
      NewOrder:
        Ref: NewOrder
      Proto:
        Ref: Proto
      RegionId:
        Ref: RegionId
      Source:
        Ref: Source
      SourceType:
        Ref: SourceType
      VpcFirewallId:
        Ref: VpcFirewallId
    Type: ALIYUN::CLOUDFW::VpcFirewallControlPolicy
Outputs:
  AclUuid:
    Description: The unique ID of the access control policy.
    Value:
      Fn::GetAtt:
      - VpcFirewallControlPolicy
      - AclUuid

JSON format

{
  "ROSTemplateFormatVersion": "2015-09-01",
  "Parameters": {
    "Destination": {
      "Type": "String",
      "Description": "The destination address in the access control policy.\nSet this parameter in the following way:\nIf the DestinationType parameter is set to net, set the value to a Classless Inter-Domain Routing (CIDR) block.\nExample: 10.2.3.0/24.\nIf the DestinationType parameter is set to group, set the value to the name of an address book.\nExample: db_group.\nIf the DestinationType parameter is set to domain, set the value to a domain name.\nExample: *.aliyuncs.com."
    },
    "ApplicationName": {
      "Type": "String",
      "Description": "The application type that the access control policy supports.\nValid values: \nANY (indicates that all application types are supported) \nFTP \nHTTP \nHTTPS \nMySQL \nSMTP \nSMTPS \nRDP \nVNC \nSSH \nRedis \nMQTT \nMongoDB \nMemcache \nSSL",
      "AllowedValues": [
        "ANY",
        "FTP",
        "HTTP",
        "HTTPS",
        "MySQL",
        "SMTP",
        "SMTPS",
        "RDP",
        "VNC",
        "SSH",
        "Redis",
        "MQTT",
        "MongoDB",
        "Memcache",
        "SSL"
      ]
    },
    "Description": {
      "Type": "String",
      "Description": "The description of the access control policy."
    },
    "SourceType": {
      "Type": "String",
      "Description": "The type of the source address in the access control policy. Valid values:\nnet: CIDR block\ngroup: address book",
      "AllowedValues": [
        "group",
        "net"
      ]
    },
    "DestPort": {
      "Type": "String",
      "Description": "The destination port in the access control policy.\nNote This parameter must be specified if the DestPortType parameter is set to port."
    },
    "AclAction": {
      "Type": "String",
      "Description": "The action that Cloud Firewall performs on the traffic. Valid values:\naccept: allows the traffic.\ndrop: denies the traffic.\nlog: monitors the traffic.",
      "AllowedValues": [
        "accept",
        "drop",
        "log"
      ]
    },
    "Lang": {
      "Type": "String",
      "Description": "The natural language of the request and response. Valid values:\nzh: Chinese\nen: English",
      "AllowedValues": [
        "en",
        "zh"
      ]
    },
    "DestinationType": {
      "Type": "String",
      "Description": "The type of the destination address in the access control policy. Valid values:\nnet: CIDR block\ngroup: address book\ndomain: domain name",
      "AllowedValues": [
        "domain",
        "group",
        "net"
      ]
    },
    "VpcFirewallId": {
      "Type": "String",
      "Description": "The ID of the policy group to which you want to add the access control policy.\nIf the VPC firewall is used to protect CEN, set the value to the ID of the CEN instance\nthat the VPC firewall protects. Example: cen-ervw5jbw1234*****.\nIf the VPC firewall is used to protect Express Connect, set the value to the ID of\nthe VPC firewall instance. Example: vfw-a42bbb748c91234*****.\nNote You can call the DescribeVpcFirewallAclGroupList operation to query the ID of the policy group."
    },
    "Source": {
      "Type": "String",
      "Description": "The source address in the access control policy.\nIf the SourceType parameter is set to net, set the value to a CIDR block. Example: 10.2.3.0/24.\nIf the SourceType parameter is set to group, set the value to the name of an address book. Example: db_group."
    },
    "DestPortType": {
      "Type": "String",
      "Description": "The type of the destination port in the access control policy. Valid values:\nport: port\ngroup: address book",
      "AllowedValues": [
        "group",
        "port"
      ]
    },
    "Proto": {
      "Type": "String",
      "Description": "The type of the security protocol in the access control policy.",
      "AllowedValues": [
        "ANY",
        "TCP",
        "UDP",
        "ICMP"
      ]
    },
    "RegionId": {
      "Type": "String",
      "Description": "Region ID. Default to cn-hangzhou.",
      "AllowedValues": [
        "cn-hangzhou",
        "ap-southeast-1"
      ],
      "Default": "cn-hangzhou"
    },
    "NewOrder": {
      "Type": "String",
      "Description": "The priority of the access control policy.\nThe priority value starts from 1. A smaller priority value indicates a higher priority.\nNote The value of -1 indicates the lowest priority."
    },
    "DestPortGroup": {
      "Type": "String",
      "Description": "The address book of destination ports in the access control policy.\nNote This parameter must be specified if the DestPortType parameter is set to group."
    }
  },
  "Resources": {
    "VpcFirewallControlPolicy": {
      "Type": "ALIYUN::CLOUDFW::VpcFirewallControlPolicy",
      "Properties": {
        "Destination": {
          "Ref": "Destination"
        },
        "ApplicationName": {
          "Ref": "ApplicationName"
        },
        "Description": {
          "Ref": "Description"
        },
        "SourceType": {
          "Ref": "SourceType"
        },
        "DestPort": {
          "Ref": "DestPort"
        },
        "AclAction": {
          "Ref": "AclAction"
        },
        "Lang": {
          "Ref": "Lang"
        },
        "DestinationType": {
          "Ref": "DestinationType"
        },
        "VpcFirewallId": {
          "Ref": "VpcFirewallId"
        },
        "Source": {
          "Ref": "Source"
        },
        "DestPortType": {
          "Ref": "DestPortType"
        },
        "Proto": {
          "Ref": "Proto"
        },
        "RegionId": {
          "Ref": "RegionId"
        },
        "NewOrder": {
          "Ref": "NewOrder"
        },
        "DestPortGroup": {
          "Ref": "DestPortGroup"
        }
      }
    }
  },
  "Outputs": {
    "AclUuid": {
      "Description": "The unique ID of the access control policy.",
      "Value": {
        "Fn::GetAtt": [
          "VpcFirewallControlPolicy",
          "AclUuid"
        ]
      }
    }
  }
}