All Products
Search

This Product

    Resource Orchestration Service:ALIYUN::ECS::SecurityGroup

    Document Center

    Resource Orchestration Service:ALIYUN::ECS::SecurityGroup

    Last Updated:Jul 29, 2024

    ALIYUN::ECS::SecurityGroup is used to create a security group.

    Syntax

    {
  "Type": "ALIYUN::ECS::SecurityGroup",
  "Properties": {
    "VpcId": String,
    "Description": String,
    "SecurityGroupName": String,
    "Tags": List,
    "SecurityGroupEgress": List,
    "SecurityGroupIngress": List,
    "ResourceGroupId": String,
    "SecurityGroupType": String
  }
}

    Properties

    Property

    Type

    Required

    Editable

    Description

    Constraint

    ResourceGroupId

    String

    No

    Yes

    The ID of the resource group to which the security group belongs.

    None.

    VpcId

    String

    No

    No

    The ID of the virtual private cloud (VPC).

    None.

    Description

    String

    No

    No

    The description of the security group.

    The description must be 2 to 256 characters in length.

    Tags

    List

    No

    Yes

    The tags of the security group.

    You can add up to 20 tags.

    For more information, see Tags properties.

    SecurityGroupName

    String

    No

    No

    The name of the security group.

    By default, this property is empty.

    • The name must be 2 to 128 characters in length.

    • It must start with a letter and cannot start with http:// or https://.

    • It can contain letters, digits, periods (.), underscores (_), and hyphens (-).

    SecurityGroupEgress

    List

    No

    Yes

    The outbound rules of the security group.

    For more information, see SecurityGroupEgress properties.

    SecurityGroupIngress

    List

    No

    Yes

    The inbound rules of the security group.

    For more information, see SecurityGroupIngress properties.

    SecurityGroupType

    String

    No

    No

    The type of the security group.

    Valid values:

    • normal: basic security group

    • enterprise: advanced security group

    Tags syntax

    "Tags": [
  {
    "Value" : String,
    "Key" : String
  }
]

    Tags properties

    Property

    Type

    Required

    Editable

    Description

    Constraint

    Key

    String

    Yes

    No

    The tag key.

    The tag key must be 1 to 128 characters in length, and cannot contain http:// or https://. It cannot start with aliyun or acs:.

    Value

    String

    No

    No

    The tag value.

    The tag value can be up to 128 characters in length, and cannot contain http:// or https://. It cannot start with aliyun or acs:.

    SecurityGroupEgress syntax

    "SecurityGroupEgress": [
  {
    "Description": String,
    "PortRange": String,
    "NicType": String,
    "Priority": Integer,
    "DestGroupId": String,
    "DestCidrIp": String,
    "Policy": String,
    "IpProtocol": String,
    "DestGroupOwnerId": String,
    "Ipv6DestCidrIp": String,
    "DestPrefixListId": String,
    "SourcePortRange": String,
    "Ipv6SourceCidrIp": String,
    "SourceCidrIp": String,
    "DestGroupOwnerAccount": String
  }
]

    SecurityGroupEgress properties

    Property

    Type

    Required

    Editable

    Description

    Constraint

    Description

    String

    No

    Yes

    The description of the rule.

    The description must be 1 to 512 characters in length.

    DestGroupOwnerId

    String

    No

    No

    The ID of the Alibaba Cloud account to which the destination security group belongs when you configure a security group rule across accounts.

    If you leave DestGroupOwnerId empty, access permissions are configured for other security groups within your Alibaba Cloud account. If you specify DestCidrIp, DestGroupOwnerId is ignored.

    IpProtocol

    String

    Yes

    No

    The transport layer protocol that the rule supports.

    Valid values:

    • tcp: supports Transmission Control Protocol (TCP).

    • udp: supports User Datagram Protocol (UDP).

    • icmp: supports Internet Control Message Protocol (ICMP).

    • gre: supports Generic Routing Encapsulation (GRE).

    • all: supports all the preceding protocols.

    PortRange

    String

    Yes

    No

    The range of port numbers that correspond to the transport layer protocol of the destination security group.

    • Value format when IpProtocol is set to tcp or udp: X/Y. X is the start port number and Y is the end port number. X and Y range from 1 to 65535. Separate X and Y with a forward slash (/).

      • Example of a valid value: 1/200.

      • Example of an invalid value: 200/1.

    • Valid value when IpProtocol is set to icmp: -1/-1.

    • Valid value when IpProtocol is set to gre: -1/-1.

    • Valid value when IpProtocol is set to all: -1/-1.

    NicType

    String

    No

    No

    The type of the network interface controller (NIC).

    Valid values:

    • internet (default)

    • intranet

    DestPrefixListId

    String

    No

    No

    The ID of the destination prefix list for outbound access control.

    You can call the DescribePrefixLists operation of ECS to query the IDs of available prefix lists.

    If a security group resides in the classic network, you cannot configure prefix lists in the security group rule.

    If you specify DestCidrIp, Ipv6DestCidrIp, or DestGroupId, DestPrefixListId is ignored.

    Priority

    Integer

    No

    No

    The priority of the rule.

    Valid values: 1 to 100.

    Default value: 1.

    DestGroupId

    String

    No

    No

    The ID of the destination security group that resides in the same region as the security group that you create.

    You must specify DestGroupId or DestCidrIp.

    • If you specify both DestGroupId and DestCidrIp, DestCidrIp takes precedence.

    • If you specify only DestGroupId, you must set NicType to intranet.

    DestCidrIp

    String

    No

    No

    The destination IP address range.

    The value of this property must be in the CIDR block format.

    Default value: 0.0.0.0/0. A value of 0.0.0.0/0 specifies that all IP addresses are available.

    Example: 10.159.XX.XX/12.

    The value of this property can represent up to 10 IP addresses or CIDR blocks. Separate multiple segments in the property value with commas (,).

    Note

    Only IPv4 is supported.

    Policy

    String

    No

    No

    The rule action that determines whether to allow access.

    Valid values:

    • accept (default): allows access.

    • drop: denies access.

    Ipv6DestCidrIp

    String

    No

    No

    The destination IPv6 CIDR block.

    IPv6 addresses are also supported. IP addresses must be of the VPC type.

    SourcePortRange

    String

    No

    No

    The range of source port numbers that correspond to the transport layer protocol of the security group.

    • Value format when IpProtocol is set to tcp or udp: X/Y. X is the start port number and Y is the end port number. X and Y range from 1 to 65535. Separate X and Y with a forward slash (/). Example: 1/200.

    • Valid value when IpProtocol is set to icmp: -1/-1.

    • Valid value when IpProtocol is set to gre: -1/-1.

    • Valid value when IpProtocol is set to all: -1/-1.

    This property is used to support quintuple rules. For more information, see Security group quintuple rules.

    Ipv6SourceCidrIp

    String

    No

    No

    The source IPv6 CIDR block.

    IPv6 addresses are also supported.

    This property is used to support quintuple rules. For more information, see Security group quintuple rules.

    Note

    This property is valid only for ECS instances that reside in VPCs and support IPv6. You cannot specify both this property and the DestCidrIp property.

    SourceCidrIp

    String

    No

    No

    The source IPv4 CIDR block.

    IPv4 addresses are also supported.

    This property is used to support quintuple rules. For more information, see Security group quintuple rules.

    DestGroupOwnerAccount

    String

    No

    No

    The Alibaba Cloud account to which the destination security group belongs.

    • If you leave DestGroupOwnerAccount and DestGroupOwnerId empty, access permissions are revoked from other security groups within your Alibaba Cloud account.

    • If you specify DestCidrIp, DestGroupOwnerAccount is ignored.

    SecurityGroupIngress syntax

    "SecurityGroupIngress": [
  {
    "SourceGroupOwnerId": String,
    "Description": String,
    "PortRange": String,
    "NicType": String,
    "Ipv6SourceCidrIp": String,
    "Priority": Integer,
    "SourceGroupId": String,
    "Policy": String,
    "IpProtocol": String,
    "SourcePortRange": String,
    "SourceCidrIp": String,
    "SourcePrefixListId": String,
    "Ipv6DestCidrIp": String,
    "SourceGroupOwnerAccount": String,
    "DestCidrIp": String
  }
]

    SecurityGroupIngress properties

    Property

    Type

    Required

    Editable

    Description

    Constraint

    SourceGroupOwnerId

    String

    No

    No

    The ID of the Alibaba Cloud account to which the source security group belongs.

    None.

    Description

    String

    No

    Yes

    The description of the rule.

    The description must be 1 to 512 characters in length.

    SourcePrefixListId

    String

    No

    No

    The ID of the source prefix list for inbound access control.

    You can call the DescribePrefixLists operation of ECS to query the IDs of available prefix lists.

    If a security group resides in the classic network, you cannot configure prefix lists in the security group rule.

    If you specify SourceCidrIp, Ipv6DestCidrIp, or DestGroupId, SourcePrefixListId is ignored.

    IpProtocol

    String

    Yes

    No

    The transport layer protocol that the rule supports.

    Valid values:

    • tcp: supports Transmission Control Protocol (TCP).

    • udp: supports User Datagram Protocol (UDP).

    • icmp: supports Internet Control Message Protocol (ICMP).

    • gre: supports Generic Routing Encapsulation (GRE).

    • all: supports all the preceding protocols.

    PortRange

    String

    Yes

    No

    The range of port numbers that correspond to the transport layer protocol of the destination security group.

    • Value format when IpProtocol is set to tcp or udp: X/Y. X is the start port number and Y is the end port number. X and Y range from 1 to 65535. Separate X and Y with a forward slash (/).

      • Example of a valid value: 1/200.

      • Example of an invalid value: 200/1.

    • Valid value when IpProtocol is set to icmp: -1/-1.

    • Valid value when IpProtocol is set to gre: -1/-1.

    • Valid value when IpProtocol is set to all: -1/-1.

    SourceGroupId

    String

    No

    No

    The ID of the source security group that resides in the same region as the security group that you create.

    You must specify SourceGroupId or SourceCidrIp.

    If you specify both SourceGroupId and SourceCidrIp, SourceCidrIp takes precedence.

    If you specify only SourceGroupId, you must set NicType to intranet.

    NicType

    String

    No

    No

    The NIC type.

    Valid values:

    • internet (default)

    • intranet

    Priority

    Integer

    No

    No

    The priority of the rule.

    Valid values: 1 to 100.

    Default value: 1.

    SourceCidrIp

    String

    No

    No

    The source IP address range.

    The value of this property must be in the CIDR block format.

    Default value: 0.0.0.0/0. A value of 0.0.0.0/0 specifies that all IP addresses are available.

    Example: 10.159.XX.XX/12.

    The value of this property can represent up to 10 IP addresses or CIDR blocks. Separate multiple segments in the property value with commas (,).

    Note

    Only IPV4 is supported.

    Policy

    String

    No

    No

    The rule action that determines whether to allow access.

    Valid values:

    • accept (default): allows access.

    • drop: denies access.

    SourcePortRange

    String

    No

    No

    The range of port numbers that correspond to the transport layer protocol of the source security group.

    • Value format when IpProtocol is set to tcp or udp: X/Y. X is the start port number and Y is the end port number. X and Y range from 1 to 65535. Separate X and Y with a forward slash (/).

      • Example of a valid value: 1/200.

      • Example of an invalid value: 200/1.

    • Valid value when IpProtocol is set to icmp: -1/-1.

    • Valid value when IpProtocol is set to gre: -1/-1.

    • Valid value when IpProtocol is set to all: -1/-1.

    Ipv6SourceCidrIp

    String

    No

    No

    The source IPv6 CIDR block.

    IPv6 addresses are also supported. IP addresses must be of the VPC type.

    Ipv6DestCidrIp

    String

    No

    No

    The destination IPv6 CIDR block.

    IPv6 addresses are also supported.

    Note

    This property is valid only for ECS instances that reside in VPCs and support IPv6. You cannot specify both this property and the DestCidrIp property.

    SourceGroupOwnerAccount

    String

    No

    No

    The Alibaba Cloud account to which the source security group belongs.

    • If you leave SourceGroupOwnerAccount and SourceGroupOwnerId empty, access permissions are configured for other security groups within your Alibaba Cloud account.

    • If you specify SourceCidrIp, SourceGroupOwnerAccount is ignored.

    DestCidrIp

    String

    No

    No

    The destination IPv4 CIDR block.

    IPv4 addresses are also supported.

    This property is used to support quintuple rules. For more information, see Security group quintuple rules.

    Return values

    Fn::GetAtt

    • SecurityGroupId: the ID of the security group.

    • SecurityGroupName: the name of the security group.

    Examples

    YAML format

    ROSTemplateFormatVersion: '2015-09-01'
Resources:
  SecurityGroup:
    Type: 'ALIYUN::ECS::SecurityGroup'
    Properties:
      SecurityGroupIngress:
        - PortRange: 22/22
          SourceCidrIp: 0.0.0.0/0
          IpProtocol: tcp
        - PortRange: 80/80
          SourceCidrIp: 0.0.0.0/0
          IpProtocol: tcp
      SecurityGroupType: normal
      VpcId:
        Ref: VpcId
      SecurityGroupEgress:
        - PortRange: 443/443
          DestCidrIp: 0.0.0.0/0
          IpProtocol: tcp
      SecurityGroupName: TestSecurityGroupName
Parameters:
  VpcId:
    AssociationProperty: 'ALIYUN::ECS::VPC::VPCId'
    Type: String
    Label:
       
      en: Existing VPC Instance ID
Outputs:
  SecurityGroupId:
    Description: generated security group id for security group.
    Value:
      'Fn::GetAtt':
        - SecurityGroup
        - SecurityGroupId
  SecurityGroupName:
    Description: The name of security group.
    Value:
      'Fn::GetAtt':
        - SecurityGroup
        - SecurityGroupName

    JSON format

    {
  "ROSTemplateFormatVersion": "2015-09-01",
  "Resources": {
    "SecurityGroup": {
      "Type": "ALIYUN::ECS::SecurityGroup",
      "Properties": {
        "SecurityGroupIngress": [
          {
            "PortRange": "22/22",
            "SourceCidrIp": "0.0.0.0/0",
            "IpProtocol": "tcp"
          },
          {
            "PortRange": "80/80",
            "SourceCidrIp": "0.0.0.0/0",
            "IpProtocol": "tcp"
          }
        ],
        "SecurityGroupType": "normal",
        "VpcId": {
          "Ref": "VpcId"
        },
        "SecurityGroupEgress": [
          {
            "PortRange": "443/443",
            "DestCidrIp": "0.0.0.0/0",
            "IpProtocol": "tcp"
          }
        ],
        "SecurityGroupName": "TestSecurityGroupName"
      }
    }
  },
  "Parameters": {
    "VpcId": {
      "AssociationProperty": "ALIYUN::ECS::VPC::VPCId",
      "Type": "String",
      "Label": {
         
        "en": "Existing VPC Instance ID"
      }
    }
  },
  "Outputs": {
    "SecurityGroupId": {
      "Description": "generated security group id for security group.",
      "Value": {
        "Fn::GetAtt": [
          "SecurityGroup",
          "SecurityGroupId"
        ]
      }
    },
    "SecurityGroupName": {
      "Description": "The name of security group.",
      "Value": {
        "Fn::GetAtt": [
          "SecurityGroup",
          "SecurityGroupName"
        ]
      }
    }
  }
}