The ALIYUN::ECS::SecurityGroupIngress resource type creates an inbound security group rule.
Syntax
{
"Type": "ALIYUN::ECS::SecurityGroupIngress",
"Properties": {
"SourceGroupOwnerId": String,
"Description": String,
"PortRange": String,
"SecurityGroupId": String,
"NicType": String,
"Ipv6SourceCidrIp": String,
"Priority": Integer,
"SourceGroupId": String,
"Policy": String,
"IpProtocol": String,
"SourcePortRange": String,
"SourceCidrIp": String,
"SourcePrefixListId": String
}
}Properties
Property name | Type | Required | Updatable | Description | Constraints |
IpProtocol | String | Yes | No | The IP protocol. | Valid values:
|
PortRange | String | Yes | No | The range of transport-layer ports that are opened in the destination security group. | Valid values:
|
SourcePrefixListId | String | No | No | The ID of the destination prefix list for which inbound access permissions must be configured. | You can call the DescribePrefixLists operation of ECS to query the IDs of available prefix lists. Prefix lists are not supported for security groups in the classic network. If you specify SourceCidrIp, Ipv6SourceCidrIp, or SourceGroupId, this parameter is ignored. |
SourceGroupId | String | No | No | The ID of the source security group. | You must specify either SourceGroupId or SourceCidrIp. If you specify SourceGroupId but not SourceCidrIp, NicType is set to intranet. If you specify both SourceGroupId and SourceCidrIp, the SourceCidrIp setting takes precedence. |
SecurityGroupId | String | No | No | The ID of the security group for which you want to create an inbound rule. | None |
NicType | String | No | No | The network type. | Valid values:
When you configure mutual access between security groups—for example, when you specify DestGroupId but not DestCidrIp—the value of this parameter is intranet. |
Priority | Integer | No | No | The priority of the security group rule. | The value can be from 1 to 100. Default value: 1. |
SourceCidrIp | String | No | No | The source IPv4 CIDR block. | Only IPv4 CIDR blocks are supported. |
Policy | String | No | No | Access permissions | Valid values:
|
SourceGroupOwnerId | String | No | No | The ID of the Alibaba Cloud account that owns the source security group. This parameter is used when you configure a security group rule across accounts. | If SourceGroupOwnerId is not set, access permissions are set for your other security groups by default. If you specify SourceCidrIp, this parameter is ignored. |
Description | String | No | Yes | The description of the security group rule. | The description must be 1 to 512 characters in length. |
SourcePortRange | String | No | No | The range of transport-layer ports that are open in the source security group. | Valid values:
|
Ipv6SourceCidrIp | String | No | No | The source IPv6 CIDR block. | Supports CIDR blocks and IPv6 addresses. Only IP addresses in VPCs are supported. |
Return values
Fn::GetAtt
None.
Examples
Scenario 1: Select an existing security group and open inbound port 3306.
ROSTemplateFormatVersion: '2015-09-01'
Description: Choose an existing security group and open inbound port 3306.
Parameters:
SecurityGroupId:
Type: String
Label: Business Security Group ID
AssociationProperty: ALIYUN::ECS::SecurityGroup::SecurityGroupId
Resources:
SecurityGroupIngress_3306:
Type: ALIYUN::ECS::SecurityGroupIngress
Properties:
SecurityGroupId:
Ref: SecurityGroupId
SourceCidrIp: 0.0.0.0/0
IpProtocol: tcp
NicType: intranet
PortRange: 3306/3306
Outputs: {}
Metadata: {}
{
"ROSTemplateFormatVersion": "2015-09-01",
"Description": "Choose an existing security group and open inbound port 3306.",
"Parameters": {
"SecurityGroupId": {
"Type": "String",
"Label": "Business Security Group ID",
"AssociationProperty": "ALIYUN::ECS::SecurityGroup::SecurityGroupId"
}
},
"Resources": {
"SecurityGroupIngress_3306": {
"Type": "ALIYUN::ECS::SecurityGroupIngress",
"Properties": {
"SecurityGroupId": {
"Ref": "SecurityGroupId"
},
"SourceCidrIp": "0.0.0.0/0",
"IpProtocol": "tcp",
"NicType": "intranet",
"PortRange": "3306/3306"
}
}
},
"Outputs": {
},
"Metadata": {
}
}Scenario 2: Create a security group and open inbound port 80.
ROSTemplateFormatVersion: '2015-09-01'
Description: Create an ECS security group to open inbound port 80.
Parameters:
ZoneId:
Type: String
Label: Availability Zone
AssociationProperty: ALIYUN::ECS::Instance:ZoneId
Resources:
Vpc:
Type: ALIYUN::ECS::VPC
Properties:
CidrBlock: 192.168.0.0/16
VSwitch:
Type: ALIYUN::ECS::VSwitch
Properties:
ZoneId:
Ref: ZoneId
VpcId:
Ref: Vpc
CidrBlock: 192.168.0.0/24
SecurityGroup:
Type: ALIYUN::ECS::SecurityGroup
Properties:
VpcId:
Ref: Vpc
SecurityGroupIngress_80:
Type: ALIYUN::ECS::SecurityGroupIngress
Properties:
SecurityGroupId:
Ref: SecurityGroup
SourceCidrIp: 0.0.0.0/0
IpProtocol: tcp
NicType: intranet
PortRange: 80/80
Outputs: {}
Metadata: {}
{
"ROSTemplateFormatVersion": "2015-09-01",
"Description": "Create an ECS security group to open inbound port 80.",
"Parameters": {
"ZoneId": {
"Type": "String",
"Label": "Availability Zone",
"AssociationProperty": "ALIYUN::ECS::Instance:ZoneId"
}
},
"Resources": {
"Vpc": {
"Type": "ALIYUN::ECS::VPC",
"Properties": {
"CidrBlock": "192.168.0.0/16"
}
},
"VSwitch": {
"Type": "ALIYUN::ECS::VSwitch",
"Properties": {
"ZoneId": {
"Ref": "ZoneId"
},
"VpcId": {
"Ref": "Vpc"
},
"CidrBlock": "192.168.0.0/24"
}
},
"SecurityGroup": {
"Type": "ALIYUN::ECS::SecurityGroup",
"Properties": {
"VpcId": {
"Ref": "Vpc"
}
}
},
"SecurityGroupIngress_80": {
"Type": "ALIYUN::ECS::SecurityGroupIngress",
"Properties": {
"SecurityGroupId": {
"Ref": "SecurityGroup"
},
"SourceCidrIp": "0.0.0.0/0",
"IpProtocol": "tcp",
"NicType": "intranet",
"PortRange": "80/80"
}
}
},
"Outputs": {
},
"Metadata": {
}
}Scenario 3: Create an ECS instance and open inbound port 3000 as the service port for a Flowise application.
ROSTemplateFormatVersion: '2015-09-01'
Description: Create an Ubuntu 22.04 ECS instance, configure security groups and networking, automate the installation of Node.js alongside the Flowise AI agent service, and provision an external access URL.
Parameters:
SystemDiskCategory:
Default: cloud_essd
AssociationProperty: ALIYUN::ECS::Disk::SystemDiskCategory
AssociationPropertyMetadata:
LocaleKey: DiskCategory
AutoChangeType: false
InstanceType: ${InstanceType}
AutoSelectFirst: true
ZoneId: ${ZoneId}
Type: String
Label: System Disk Type
InstanceType:
AssociationProperty: ALIYUN::ECS::Instance::InstanceType
AssociationPropertyMetadata:
DefaultValueStrategy: recent
ZoneId: ${ZoneId}
Type: String
Label: Instance Type
InstancePassword:
AssociationPropertyMetadata:
Visible:
Condition:
Fn::Equals:
- ${SelectInstance}
- false
Description: The logon password for the server. The password must be 8 to 30 characters long and contain at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters: ()`~!@#$%^&*_-+=|{}[]:;'<>,.?/
Default: Null
Type: String
Label: Instance Password
NoEcho: true
AssociationProperty: ALIYUN::ECS::Instance::Password
ConstraintDescription: The logon password for the server. The password must be 8 to 30 characters long and contain at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters: ()`~!@#$%^&*_-+=|{}[]:;'<>,.?/
ZoneId:
AssociationProperty: ALIYUN::ECS::Instance:ZoneId
Type: String
Description: <font color='blue'>This template uses Git to clone the FlowiseAI/Flowise repository from GitHub. You may encounter network issues when you use this template in a region within China. You can switch to a region outside China.</font>
Label: Availability Zone
Outputs:
FlowiseUrl:
Description: The default address for Flowise.
Value:
Fn::Sub:
- http://${IP}:3000
- IP:
Fn::Jq:
- First
- if .[0].PublicIpAddress != [] then .[0].PublicIpAddress[0] else .[0].EipAddress.IpAddress end
- Fn::GetAtt:
- DS_Instances
- Instances
Resources:
SecurityGroupIngress_3000:
Type: ALIYUN::ECS::SecurityGroupIngress
Properties:
IpProtocol: tcp
SecurityGroupId:
Ref: SecurityGroup
NicType: intranet
SourceCidrIp: 0.0.0.0/0
PortRange: 3000/3000
InstanceGroup:
Type: ALIYUN::ECS::InstanceGroup
Properties:
SystemDiskCategory:
Ref: SystemDiskCategory
VpcId:
Ref: Vpc
SecurityGroupId:
Ref: SecurityGroup
ImageId: ubuntu_22_04
IoOptimized: optimized
VSwitchId:
Ref: VSwitch
Password:
Ref: InstancePassword
InstanceName: Flowise
InstanceType:
Ref: InstanceType
MaxAmount: 1
SecurityGroup:
Type: ALIYUN::ECS::SecurityGroup
Properties:
VpcId:
Ref: Vpc
DS_Instances:
Type: DATASOURCE::ECS::Instances
Properties:
InstanceIds:
Fn::GetAtt:
- InstanceGroup
- InstanceIds
Vpc:
Type: ALIYUN::ECS::VPC
Properties:
CidrBlock: 192.168.0.0/16
InstallFlowise:
Type: ALIYUN::ECS::RunCommand
Properties:
CommandContent: |
#!/bin/bash
echo "#########################"
echo "# Install NodeJS"
echo "#########################"
git clone https://github.com/nvm-sh/nvm.git /opt/nvm && cd /opt/nvm
ret_code=$?
if [ $ret_code -ne 0 ]; then
echo "Git clone https://github.com/nvm-sh/nvm.git failed. Exiting."
exit $ret_code
fi
./install.sh
export NVM_DIR="$HOME/.nvm"
[ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh"
[ -s "$NVM_DIR/bash_completion" ] && \. "$NVM_DIR/bash_completion"
nvm install 22
npm config set registry https://registry.npmmirror.com
npm i -g pnpm
echo "#########################"
echo "# Install Flowise"
echo "#########################"
git clone --depth 1 https://github.com/FlowiseAI/Flowise.git /opt/Flowise && cd /opt/Flowise
ret_code=$?
if [ $ret_code -ne 0 ]; then
echo "Git clone https://github.com/FlowiseAI/Flowise.git failed. Exiting."
exit $ret_code
fi
pnpm install
pnpm build
nohup pnpm start > flowise.log 2>&1 &
Type: RunShellScript
Sync: true
InstanceIds:
Fn::GetAtt:
- InstanceGroup
- InstanceIds
Timeout: 1800
VSwitch:
Type: ALIYUN::ECS::VSwitch
Properties:
VpcId:
Ref: Vpc
CidrBlock: 192.168.0.0/24
ZoneId:
Ref: ZoneId
Metadata: {}
{
"ROSTemplateFormatVersion": "2015-09-01",
"Description": "Create an Ubuntu 22.04 ECS instance, configure security groups and networking, automate the installation of Node.js alongside the Flowise AI agent service, and provision an external access URL.",
"Parameters": {
"SystemDiskCategory": {
"Default": "cloud_essd",
"AssociationProperty": "ALIYUN::ECS::Disk::SystemDiskCategory",
"AssociationPropertyMetadata": {
"LocaleKey": "DiskCategory",
"AutoChangeType": false,
"InstanceType": "${InstanceType}",
"AutoSelectFirst": true,
"ZoneId": "${ZoneId}"
},
"Type": "String",
"Label": "System Disk Type"
},
"InstanceType": {
"AssociationProperty": "ALIYUN::ECS::Instance::InstanceType",
"AssociationPropertyMetadata": {
"DefaultValueStrategy": "recent",
"ZoneId": "${ZoneId}"
},
"Type": "String",
"Label": "Instance Type"
},
"InstancePassword": {
"AssociationPropertyMetadata": {
"Visible": {
"Condition": {
"Fn::Equals": [
"${SelectInstance}",
false
]
}
}
},
"Description": "The logon password for the server. The password must be 8 to 30 characters long and contain at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters: ()`~!@#$%^&*_-+=|{}[]:;'<>,.?/",
"Default": null,
"Type": "String",
"Label": "Instance Password",
"NoEcho": true,
"AssociationProperty": "ALIYUN::ECS::Instance::Password",
"ConstraintDescription": "The logon password for the server. The password must be 8 to 30 characters long and contain at least three of the following character types: uppercase letters, lowercase letters, digits, and special characters: ()`~!@#$%^&*_-+=|{}[]:;'<>,.?/"
},
"ZoneId": {
"AssociationProperty": "ALIYUN::ECS::Instance:ZoneId",
"Type": "String",
"Description": "<font color='blue'>This template uses Git to clone the FlowiseAI/Flowise repository from GitHub. You may encounter network issues when you use this template in a region within China. You can switch to a region outside China.</font>",
"Label": "Availability Zone"
}
},
"Outputs": {
"FlowiseUrl": {
"Description": "The default address for Flowise.",
"Value": {
"Fn::Sub": [
"http://${IP}:3000",
{
"IP": {
"Fn::Jq": [
"First",
"if .[0].PublicIpAddress != [] then .[0].PublicIpAddress[0] else .[0].EipAddress.IpAddress end",
{
"Fn::GetAtt": [
"DS_Instances",
"Instances"
]
}
]
}
}
]
}
}
},
"Resources": {
"SecurityGroupIngress_3000": {
"Type": "ALIYUN::ECS::SecurityGroupIngress",
"Properties": {
"IpProtocol": "tcp",
"SecurityGroupId": {
"Ref": "SecurityGroup"
},
"NicType": "intranet",
"SourceCidrIp": "0.0.0.0/0",
"PortRange": "3000/3000"
}
},
"InstanceGroup": {
"Type": "ALIYUN::ECS::InstanceGroup",
"Properties": {
"SystemDiskCategory": {
"Ref": "SystemDiskCategory"
},
"VpcId": {
"Ref": "Vpc"
},
"SecurityGroupId": {
"Ref": "SecurityGroup"
},
"ImageId": "ubuntu_22_04",
"IoOptimized": "optimized",
"VSwitchId": {
"Ref": "VSwitch"
},
"Password": {
"Ref": "InstancePassword"
},
"InstanceName": "Flowise",
"InstanceType": {
"Ref": "InstanceType"
},
"MaxAmount": 1
}
},
"SecurityGroup": {
"Type": "ALIYUN::ECS::SecurityGroup",
"Properties": {
"VpcId": {
"Ref": "Vpc"
}
}
},
"DS_Instances": {
"Type": "DATASOURCE::ECS::Instances",
"Properties": {
"InstanceIds": {
"Fn::GetAtt": [
"InstanceGroup",
"InstanceIds"
]
}
}
},
"Vpc": {
"Type": "ALIYUN::ECS::VPC",
"Properties": {
"CidrBlock": "192.168.0.0/16"
}
},
"InstallFlowise": {
"Type": "ALIYUN::ECS::RunCommand",
"Properties": {
"CommandContent": "#!/bin/bash\necho \"#########################\"\necho \"# Install NodeJS\"\necho \"#########################\"\ngit clone https://github.com/nvm-sh/nvm.git /opt/nvm && cd /opt/nvm\nret_code=$?\nif [ $ret_code -ne 0 ]; then\n echo \"Git clone https://github.com/nvm-sh/nvm.git failed. Exiting.\"\n exit $ret_code\nfi\n./install.sh\nexport NVM_DIR=\"$HOME/.nvm\"\n[ -s \"$NVM_DIR/nvm.sh\" ] && \\. \"$NVM_DIR/nvm.sh\"\n[ -s \"$NVM_DIR/bash_completion\" ] && \\. \"$NVM_DIR/bash_completion\"\nnvm install 22\nnpm config set registry https://registry.npmmirror.com\nnpm i -g pnpm\n\necho \"#########################\"\necho \"# Install Flowise\"\necho \"#########################\"\ngit clone --depth 1 https://github.com/FlowiseAI/Flowise.git /opt/Flowise && cd /opt/Flowise\nret_code=$?\nif [ $ret_code -ne 0 ]; then\n echo \"Git clone https://github.com/FlowiseAI/Flowise.git failed. Exiting.\"\n exit $ret_code\nfi\npnpm install\npnpm build\nnohup pnpm start > flowise.log 2>&1 &\n",
"Type": "RunShellScript",
"Sync": true,
"InstanceIds": {
"Fn::GetAtt": [
"InstanceGroup",
"InstanceIds"
]
},
"Timeout": 1800
}
},
"VSwitch": {
"Type": "ALIYUN::ECS::VSwitch",
"Properties": {
"VpcId": {
"Ref": "Vpc"
},
"CidrBlock": "192.168.0.0/24",
"ZoneId": {
"Ref": "ZoneId"
}
}
}
},
"Metadata": {
}
}For more information, see public templates that contain this resource.