The ALIYUN::ECS::SecurityGroup resource is used to create a security group.
Syntax
{
"Type": "ALIYUN::ECS::SecurityGroup",
"Properties": {
"VpcId": String,
"Description": String,
"SecurityGroupName": String,
"Tags": List,
"SecurityGroupEgress": List,
"SecurityGroupIngress": List,
"ResourceGroupId": String,
"SecurityGroupType": String
}
}Properties
Property name | Type | Required | Allow updates | Description | Constraints |
ResourceGroupId | String | No | Yes | The ID of the resource group to which the security group belongs. | None |
VpcId | String | No | No | The ID of the virtual private cloud (VPC). | None |
Description | String | No | No | The description of the security group. | The length is 2 to 256 characters. |
Tags | List | No | Yes | The tags of the security group. | Supports a maximum of 20 tags. For more information, see Tags properties. |
SecurityGroupName | String | No | No | The name of the security group. | If not specified, the value is empty. The default value is empty.
|
SecurityGroupEgress | List | No | Yes | The outbound access rules of the security group. | For more information, see SecurityGroupEgress properties. |
SecurityGroupIngress | List | No | Yes | The inbound access rules of the security group. | For more information, see SecurityGroupIngress properties. |
SecurityGroupType | String | No | No | The type of the security group. | Valid values:
|
Tags syntax
"Tags": [
{
"Value" : String,
"Key" : String
}
]Tags properties
Property name | Type | Required | Allow Updates | Description | Constraints |
Key | String | Yes | No | The tag key. | The length is 1 to 128 characters. Cannot start with |
Value | String | No | No | The tag value. | The length is 0 to 128 characters. Cannot start with |
SecurityGroupEgress syntax
"SecurityGroupEgress": [
{
"Description": String,
"PortRange": String,
"NicType": String,
"Priority": Integer,
"DestGroupId": String,
"DestCidrIp": String,
"Policy": String,
"IpProtocol": String,
"DestGroupOwnerId": String,
"Ipv6DestCidrIp": String,
"DestPrefixListId": String,
"SourcePortRange": String,
"Ipv6SourceCidrIp": String,
"SourceCidrIp": String,
"DestGroupOwnerAccount": String
}
]SecurityGroupEgress properties
Property name | Type | Required | Updatable | Description | Constraints |
Description | String | No | Yes | The description of the security group rule. | The length is 1 to 512 characters. |
DestGroupOwnerId | String | No | No | The Alibaba Cloud account ID of the destination security group when you configure a security group rule across accounts. | If you do not set DestGroupOwnerId, the system assumes you configure access permissions for other security groups. If you set the DestCidrIp parameter, the DestGroupOwnerId parameter is invalid. |
IpProtocol | String | Yes | No | The IP protocol. | Valid values:
|
PortRange | String | Yes | No | The port range related to the IP protocol. | The port range related to the transport-layer protocol that the destination security group opens. Valid values:
|
NicType | String | No | No | The network type. | Valid values:
For VPC security group rules, you do not need to set the network interface controller (NIC) type. The default value is intranet, and it can only be intranet. When you configure mutual access between security groups, which means you only specify the DestGroupId parameter, the value can only be intranet. Default value: internet. |
DestPrefixListId | String | No | No | The ID of the destination prefix list for which you want to configure outbound access permissions. | Call the DescribePrefixLists interface of Alibaba Cloud service ECS to query available prefix list IDs. Prefix lists are not supported when the security group network type is classic network. If you specify any of the DestCidrIp, Ipv6DestCidrIp, or DestGroupId parameters, the system ignores this parameter. |
Priority | Integer | No | No | The authorization policy priority. | Valid values: 1 to 100. Default value: 1. |
DestGroupId | String | No | No | The ID of the destination security group in the same region. | Specify either the DestGroupId or DestCidrIp parameter.
|
DestCidrIp | String | No | No | The destination IP address range. | Specify the IP address range in CIDR format. Default value: 0.0.0.0/0 (unrestricted). Other supported formats, such as 10.159.XX.XX/12. A maximum of 10 IP addresses or CIDR blocks, separated by commas (,). Note Only IPv4 is supported. |
Policy | String | No | No | The authorization policy. | Valid values:
|
Ipv6DestCidrIp | String | No | No | The destination IPv6 CIDR block. | Supports IP address ranges in CIDR and IPv6 formats. Only supports IP addresses of the VPC type. |
SourcePortRange | String | No | No | The source port range related to the transport-layer protocol that the security group opens. | Valid values:
For quintuple rules, see Security group quintuple rules. |
Ipv6SourceCidrIp | String | No | No | The source IPv6 CIDR block. | Supports IP address ranges in CIDR and IPv6 formats. For quintuple rules, see Security group quintuple rules. Note This parameter is valid only for IPv6-enabled VPC ECS instances. Do not set this parameter and the |
SourceCidrIp | String | No | No | The source IPv4 CIDR block. | Supports IP address ranges in CIDR and IPv4 formats. For quintuple rules, see Security group quintuple rules. |
DestGroupOwnerAccount | String | No | No | The Alibaba Cloud account to which the destination security group belongs. |
|
SecurityGroupIngress syntax
"SecurityGroupIngress": [
{
"SourceGroupOwnerId": String,
"Description": String,
"PortRange": String,
"NicType": String,
"Ipv6SourceCidrIp": String,
"Priority": Integer,
"SourceGroupId": String,
"Policy": String,
"IpProtocol": String,
"SourcePortRange": String,
"SourceCidrIp": String,
"SourcePrefixListId": String,
"Ipv6DestCidrIp": String,
"SourceGroupOwnerAccount": String,
"DestCidrIp": String
}
]SecurityGroupIngress properties
Property name | Type | Required | Updatable | Description | Constraints |
SourceGroupOwnerId | String | No | No | The Alibaba Cloud account ID of the source security group. | None |
Description | String | No | Yes | The description of the security group rule. | The length is 1 to 512 characters. |
SourcePrefixListId | String | No | No | The ID of the source prefix list for which you want to configure inbound access permissions. | Call the DescribePrefixLists interface of Alibaba Cloud service ECS to query available prefix list IDs. Prefix lists are not supported when the security group network type is classic network. If you specify any of the SourceCidrIp, Ipv6DestCidrIp, or DestGroupId parameters, the system ignores this parameter. |
IpProtocol | String | Yes | No | The IP protocol. | Valid values:
|
PortRange | String | Yes | No | The port range related to the IP protocol. | The port range related to the transport-layer protocol that the destination security group opens. Valid values:
|
SourceGroupId | String | No | No | The ID of the source security group in the same region. | Specify either the SourceGroupId or SourceCidrIp parameter. If you specify both, the system authorizes SourceCidrIp by default. If you specify this parameter and do not specify SourceCidrIp, NicType can only be intranet. |
NicType | String | No | No | The network type. | Valid values:
|
Priority | Integer | No | No | The authorization policy priority. | Valid values: 1 to 100. Default value: 1. |
SourceCidrIp | String | No | No | The source IP address range. | Specify the IP address range in CIDR format. Default value: 0.0.0.0/0 (unrestricted). Other supported formats, such as 10.159.XX.XX/12. A maximum of 10 IP addresses or CIDR blocks, separated by commas (,). Note Only IPv4 is supported. |
Policy | String | No | No | The authorization policy. | Valid values:
|
SourcePortRange | String | No | No | The range of ports that are open in the source security group for the transport-layer protocol. | Valid values:
|
Ipv6SourceCidrIp | String | No | No | The source IPv6 CIDR block. | Only supports IP addresses of the VPC type. Supports IP address ranges in CIDR and IPv6 formats. |
Ipv6DestCidrIp | String | No | No | The destination IPv6 CIDR block. | Supports IP address ranges in CIDR and IPv6 formats. Note This parameter is valid only for IPv6-enabled VPC ECS instances. Do not set this parameter and the |
SourceGroupOwnerAccount | String | No | No | The Alibaba Cloud account to which the source security group belongs. |
|
DestCidrIp | String | No | No | The destination IPv4 CIDR block. | Supports IP address ranges in CIDR and IPv4 formats. For quintuple rules, see Security group quintuple rules. |
Return values
Fn::GetAtt
SecurityGroupId: The security group ID.
SecurityGroupName: The security group name.
Examples
Scenario 1: Create a basic security group in an existing VPC.
ROSTemplateFormatVersion: '2015-09-01'
Resources:
SecurityGroup:
Type: ALIYUN::ECS::SecurityGroup
Properties:
SecurityGroupIngress:
- PortRange: 22/22
SourceCidrIp: 0.0.0.0/0
IpProtocol: tcp
- PortRange: 80/80
SourceCidrIp: 0.0.0.0/0
IpProtocol: tcp
SecurityGroupType: normal
VpcId:
Ref: VpcId
SecurityGroupEgress:
- PortRange: 443/443
DestCidrIp: 0.0.0.0/0
IpProtocol: tcp
SecurityGroupName: TestSecurityGroupName
Parameters:
VpcId:
AssociationProperty: ALIYUN::ECS::VPC::VPCId
Type: String
Label:
zh-cn: Existing VPC instance ID
en: Existing VPC Instance ID
Outputs:
SecurityGroupId:
Description: generated security group id for security group.
Value:
Fn::GetAtt:
- SecurityGroup
- SecurityGroupId
SecurityGroupName:
Description: The name of security group.
Value:
Fn::GetAtt:
- SecurityGroup
- SecurityGroupName
{
"ROSTemplateFormatVersion": "2015-09-01",
"Resources": {
"SecurityGroup": {
"Type": "ALIYUN::ECS::SecurityGroup",
"Properties": {
"SecurityGroupIngress": [
{
"PortRange": "22/22",
"SourceCidrIp": "0.0.0.0/0",
"IpProtocol": "tcp"
},
{
"PortRange": "80/80",
"SourceCidrIp": "0.0.0.0/0",
"IpProtocol": "tcp"
}
],
"SecurityGroupType": "normal",
"VpcId": {
"Ref": "VpcId"
},
"SecurityGroupEgress": [
{
"PortRange": "443/443",
"DestCidrIp": "0.0.0.0/0",
"IpProtocol": "tcp"
}
],
"SecurityGroupName": "TestSecurityGroupName"
}
}
},
"Parameters": {
"VpcId": {
"AssociationProperty": "ALIYUN::ECS::VPC::VPCId",
"Type": "String",
"Label": {
"zh-cn": "Existing VPC instance ID",
"en": "Existing VPC Instance ID"
}
}
},
"Outputs": {
"SecurityGroupId": {
"Description": "generated security group id for security group.",
"Value": {
"Fn::GetAtt": [
"SecurityGroup",
"SecurityGroupId"
]
}
},
"SecurityGroupName": {
"Description": "The name of security group.",
"Value": {
"Fn::GetAtt": [
"SecurityGroup",
"SecurityGroupName"
]
}
}
}
}
Scenario 2: Create an advanced security group in an existing VPC.
ROSTemplateFormatVersion: '2015-09-01'
Resources:
SecurityGroup:
Type: ALIYUN::ECS::SecurityGroup
Properties:
SecurityGroupIngress:
- PortRange: 22/22
SourceCidrIp: 0.0.0.0/0
IpProtocol: tcp
- PortRange: 80/80
SourceCidrIp: 0.0.0.0/0
IpProtocol: tcp
SecurityGroupType: enterprise
VpcId:
Ref: VpcId
SecurityGroupEgress:
- PortRange: 443/443
DestCidrIp: 0.0.0.0/0
IpProtocol: tcp
SecurityGroupName: TestSecurityGroupName
Parameters:
VpcId:
AssociationProperty: ALIYUN::ECS::VPC::VPCId
Type: String
Label:
zh-cn: Existing VPC instance ID
en: Existing VPC Instance ID
Outputs:
SecurityGroupId:
Description: generated security group id for security group.
Value:
Fn::GetAtt:
- SecurityGroup
- SecurityGroupId
SecurityGroupName:
Description: The name of security group.
Value:
Fn::GetAtt:
- SecurityGroup
- SecurityGroupName
{
"ROSTemplateFormatVersion": "2015-09-01",
"Resources": {
"SecurityGroup": {
"Type": "ALIYUN::ECS::SecurityGroup",
"Properties": {
"SecurityGroupIngress": [
{
"PortRange": "22/22",
"SourceCidrIp": "0.0.0.0/0",
"IpProtocol": "tcp"
},
{
"PortRange": "80/80",
"SourceCidrIp": "0.0.0.0/0",
"IpProtocol": "tcp"
}
],
"SecurityGroupType": "enterprise",
"VpcId": {
"Ref": "VpcId"
},
"SecurityGroupEgress": [
{
"PortRange": "443/443",
"DestCidrIp": "0.0.0.0/0",
"IpProtocol": "tcp"
}
],
"SecurityGroupName": "TestSecurityGroupName"
}
}
},
"Parameters": {
"VpcId": {
"AssociationProperty": "ALIYUN::ECS::VPC::VPCId",
"Type": "String",
"Label": {
"zh-cn": "Existing VPC instance ID",
"en": "Existing VPC Instance ID"
}
}
},
"Outputs": {
"SecurityGroupId": {
"Description": "generated security group id for security group.",
"Value": {
"Fn::GetAtt": [
"SecurityGroup",
"SecurityGroupId"
]
}
},
"SecurityGroupName": {
"Description": "The name of security group.",
"Value": {
"Fn::GetAtt": [
"SecurityGroup",
"SecurityGroupName"
]
}
}
}
}Scenario 3: Create an ECS instance and configure the security group to open inbound port 9966.
ROSTemplateFormatVersion: '2015-09-01'
Description:
zh-cn: Create an ECS instance and configure the security group to open inbound port 9966.
en: Create an ECS instance and configure the security group to open inbound port 9966.
Parameters:
ZoneId:
Type: String
Label:
en: Availability Zone
zh-cn: Zone ID
AssociationProperty: ALIYUN::ECS::Instance:ZoneId
InstanceType:
Type: String
Label:
en: Instance Type
zh-cn: Instance type
AssociationProperty: ALIYUN::ECS::Instance::InstanceType
AssociationPropertyMetadata:
ZoneId: ${ZoneId}
SystemDiskCategory:
Type: String
Label:
en: System Disk Type
zh-cn: System disk type
AssociationProperty: ALIYUN::ECS::Disk::SystemDiskCategory
AssociationPropertyMetadata:
LocaleKey: DiskCategory
ZoneId: ${ZoneId}
InstanceType: ${InstanceType}
AutoSelectFirst: true
AutoChangeType: false
Default: cloud_essd
InstancePassword:
Type: String
NoEcho: true
Label:
en: Instance Password
zh-cn: Instance password
Description:
en: Server logon password. Length must be 8–30 characters and include three of the following: uppercase letters, lowercase letters, numbers, or special symbols ()`~!@#$%^&*_-+=|{}[]:;'<>,.?/
zh-cn: Server logon password. Length must be 8–30 characters and include three of the following: uppercase letters, lowercase letters, numbers, or special symbols ()`~!@#$%^&*_-+=|{}[]:;'<>,.?/
ConstraintDescription:
en: Length must be 8–30 characters and include three of the following: uppercase letters, lowercase letters, numbers, or special symbols ()`~!@#$%^&*_-+=|{}[]:;'<>,.?/
zh-cn: Length must be 8–30 characters and include three of the following: uppercase letters, lowercase letters, numbers, or special symbols ()`~!@#$%^&*_-+=|{}[]:;'<>,.?/
AssociationPropertyMetadata:
Visible:
Condition:
Fn::Equals:
- ${SelectInstance}
- false
Default: Null
AssociationProperty: ALIYUN::ECS::Instance::Password
Resources:
Vpc:
Type: ALIYUN::ECS::VPC
Properties:
CidrBlock: 192.168.0.0/16
VSwitch:
Type: ALIYUN::ECS::VSwitch
Properties:
ZoneId:
Ref: ZoneId
VpcId:
Ref: Vpc
CidrBlock: 192.168.0.0/24
SecurityGroup:
Type: ALIYUN::ECS::SecurityGroup
Properties:
VpcId:
Ref: Vpc
SecurityGroupIngress_9966:
Type: ALIYUN::ECS::SecurityGroupIngress
Properties:
SecurityGroupId:
Ref: SecurityGroup
SourceCidrIp: 0.0.0.0/0
IpProtocol: tcp
NicType: intranet
PortRange: 9966/9966
InstanceGroup:
Type: ALIYUN::ECS::InstanceGroup
Properties:
VpcId:
Ref: Vpc
VSwitchId:
Ref: VSwitch
SecurityGroupId:
Ref: SecurityGroup
ImageId: ubuntu_22_04
InstanceName: ChatTTS
InstanceType:
Ref: InstanceType
SystemDiskCategory:
Ref: SystemDiskCategory
Password:
Ref: InstancePassword
IoOptimized: optimized
MaxAmount: 1
Outputs: {}
Metadata: {}
{
"ROSTemplateFormatVersion": "2015-09-01",
"Description": {
"zh-cn": "Create an ECS instance and configure the security group to open inbound port 9966.",
"en": "Create an ECS instance and configure the security group to open inbound port 9966."
},
"Parameters": {
"ZoneId": {
"Type": "String",
"Label": {
"en": "Availability Zone",
"zh-cn": "Zone ID"
},
"AssociationProperty": "ALIYUN::ECS::Instance:ZoneId"
},
"InstanceType": {
"Type": "String",
"Label": {
"en": "Instance Type",
"zh-cn": "Instance type"
},
"AssociationProperty": "ALIYUN::ECS::Instance::InstanceType",
"AssociationPropertyMetadata": {
"ZoneId": "${ZoneId}"
}
},
"SystemDiskCategory": {
"Type": "String",
"Label": {
"en": "System Disk Type",
"zh-cn": "System disk type"
},
"AssociationProperty": "ALIYUN::ECS::Disk::SystemDiskCategory",
"AssociationPropertyMetadata": {
"LocaleKey": "DiskCategory",
"ZoneId": "${ZoneId}",
"InstanceType": "${InstanceType}",
"AutoSelectFirst": true,
"AutoChangeType": false
},
"Default": "cloud_essd"
},
"InstancePassword": {
"Type": "String",
"NoEcho": true,
"Label": {
"en": "Instance Password",
"zh-cn": "Instance password"
},
"Description": {
"en": "Server logon password. Length must be 8–30 characters and include three of the following: uppercase letters, lowercase letters, numbers, or special symbols ()`~!@#$%^&*_-+=|{}[]:;'<>,.?/",
"zh-cn": "Server logon password. Length must be 8–30 characters and include three of the following: uppercase letters, lowercase letters, numbers, or special symbols ()`~!@#$%^&*_-+=|{}[]:;'<>,.?/"
},
"ConstraintDescription": {
"en": "Length must be 8–30 characters and include three of the following: uppercase letters, lowercase letters, numbers, or special symbols ()`~!@#$%^&*_-+=|{}[]:;'<>,.?/",
"zh-cn": "Length must be 8–30 characters and include three of the following: uppercase letters, lowercase letters, numbers, or special symbols ()`~!@#$%^&*_-+=|{}[]:;'<>,.?/"
},
"AssociationPropertyMetadata": {
"Visible": {
"Condition": {
"Fn::Equals": [
"${SelectInstance}",
false
]
}
}
},
"Default": null,
"AssociationProperty": "ALIYUN::ECS::Instance::Password"
}
},
"Resources": {
"Vpc": {
"Type": "ALIYUN::ECS::VPC",
"Properties": {
"CidrBlock": "192.168.0.0/16"
}
},
"VSwitch": {
"Type": "ALIYUN::ECS::VSwitch",
"Properties": {
"ZoneId": {
"Ref": "ZoneId"
},
"VpcId": {
"Ref": "Vpc"
},
"CidrBlock": "192.168.0.0/24"
}
},
"SecurityGroup": {
"Type": "ALIYUN::ECS::SecurityGroup",
"Properties": {
"VpcId": {
"Ref": "Vpc"
}
}
},
"SecurityGroupIngress_9966": {
"Type": "ALIYUN::ECS::SecurityGroupIngress",
"Properties": {
"SecurityGroupId": {
"Ref": "SecurityGroup"
},
"SourceCidrIp": "0.0.0.0/0",
"IpProtocol": "tcp",
"NicType": "intranet",
"PortRange": "9966/9966"
}
},
"InstanceGroup": {
"Type": "ALIYUN::ECS::InstanceGroup",
"Properties": {
"VpcId": {
"Ref": "Vpc"
},
"VSwitchId": {
"Ref": "VSwitch"
},
"SecurityGroupId": {
"Ref": "SecurityGroup"
},
"ImageId": "ubuntu_22_04",
"InstanceName": "ChatTTS",
"InstanceType": {
"Ref": "InstanceType"
},
"SystemDiskCategory": {
"Ref": "SystemDiskCategory"
},
"Password": {
"Ref": "InstancePassword"
},
"IoOptimized": "optimized",
"MaxAmount": 1
}
}
},
"Outputs": {
},
"Metadata": {
}
}For more examples, see public templates that include this resource.