ALIYUN::ECS::SecurityGroupIngress is used to create an inbound rule for a security group.
Syntax
{
"Type": "ALIYUN::ECS::SecurityGroupIngress",
"Properties": {
"SourceGroupOwnerId": String,
"Description": String,
"PortRange": String,
"SecurityGroupId": String,
"NicType": String,
"Ipv6SourceCidrIp": String,
"Priority": Integer,
"SourceGroupId": String,
"Policy": String,
"IpProtocol": String,
"SourcePortRange": String,
"SourceCidrIp": String,
"SourcePrefixListId": String
}
}Properties
| Property | Type | Required | Editable | Description | Constraint |
|---|---|---|---|---|---|
| IpProtocol | String | Yes | No | The transport layer protocol. | Valid values:
|
| PortRange | String | Yes | No | The range of port numbers that correspond to the transport layer protocol for the destination security group. | Valid values:
For more information about the scenarios in which ports are used, see Typical applications of commonly used ports. |
| SourcePrefixListId | String | No | No | The ID of the destination prefix list to which you want to control inbound access. | You can call the DescribePrefixLists operation to query the IDs of available prefix lists. If a security group resides in the classic network, you cannot configure prefix lists in the security group rule. For more information, see the "Security group limits" section of the Limits topic. If you specify the SourceCidrIp, Ipv6SourceCidrIp, or SourceGroupId property, the system ignores the value of the SourcePrefixListId property. |
| SourceGroupId | String | No | No | The ID of the source security group on which you want to grant inbound access permissions. | You must specify the SourceGroupId or SourceCidrIp property. If you specify only the SourceGroupId property, you must set the NicType property to intranet. If you specify both the SourceGroupId and SourceCidrIp properties, the SourceCidrIp property takes precedence. |
| SecurityGroupId | String | No | No | The ID of the security group for which you want to create the inbound rule. | None. |
| NicType | String | No | No | The type of the network interface controller (NIC). | Default value: internet. Valid values:
|
| Priority | Integer | No | No | The priority of the inbound rule. | Valid values: 1 to 100. Default value: 1. |
| SourceCidrIp | String | No | No | The source IPv4 CIDR block. | Only IPv4 CIDR blocks are supported. |
| Policy | String | No | No | The rule action that determines whether to accept inbound access. | Default value: accept. Valid values:
|
| SourceGroupOwnerId | String | No | No | The ID of the Alibaba Cloud account to which the source security group belongs when you configure a security group rule across accounts. | If you do not specify the DestGroupOwnerId property, the access permissions are granted to another security group that belongs to your Alibaba Cloud account. If you specify the SourceCidrIp property, the SourceGroupOwnerId property is ignored. |
| Description | String | No | Yes | The description of the inbound rule. | The description must be 1 to 512 characters in length. |
| SourcePortRange | String | No | No | The range of port numbers that correspond to the transport layer protocol for the source security group. | Valid values:
|
| Ipv6SourceCidrIp | String | No | No | The source IPv6 CIDR block. | The value must be in the CIDR format. You can specify only IP addresses of the virtual private cloud (VPC) type. |
Return values
Fn::GetAtt
None.
Examples
JSONformat{ "ROSTemplateFormatVersion": "2015-09-01", "Parameters": { "SecurityGroupId": { "Type": "String", "AssociationProperty": "ALIYUN::ECS::SecurityGroup::SecurityGroupId", "Label": { "en": "Security Group ID" } } }, "Resources": { "SecurityGroupIngress": { "Type": "ALIYUN::ECS::SecurityGroupIngress", "Properties": { "SecurityGroupId": { "Ref": "SecurityGroupId" }, "SourceCidrIp": "0.0.0.0/0", "IpProtocol": "all", "NicType": "intranet", "PortRange": "-1/-1" } } } }