ALIYUN::ECS::SecurityGroupIngresses is used to associate multiple inbound rules with a security group at a time.
Syntax
{
"Type": "ALIYUN::ECS::SecurityGroupIngresses",
"Properties": {
"SecurityGroupId": String,
"Permissions": List
}
}Properties
Property | Type | Required | Editable | Description | Constraint |
Permissions | List | Yes | Yes | The configurations of the inbound rules that you want to associate with the security group. | You can associate up to 100 inbound rules. For more information, see Permissions properties. |
SecurityGroupId | String | Yes | No | The ID of the source security group. | None. |
Permissions syntax
"Permissions": [
{
"Policy": String,
"SourceGroupId": String,
"Description": String,
"SourcePortRange": String,
"Priority": Integer,
"SourceGroupOwnerId": String,
"Ipv6SourceCidrIp": String,
"NicType": String,
"PortRange": String,
"SourceCidrIp": String,
"IpProtocol": String,
"DestCidrIp": String,
"SourceGroupOwnerAccount": String,
"Ipv6DestCidrIp": String,
"SourcePrefixListId": String
}
]Permissions properties
Property | Type | Required | Editable | Description | Constraint |
IpProtocol | String | Yes | No | The IP protocol that the rule supports. | Valid values:
|
PortRange | String | Yes | No | The range of port numbers that correspond to the transport layer protocol of the destination security group. |
|
Description | String | No | No | The description of the rule. | The description must be 1 to 512 characters in length. |
DestCidrIp | String | No | No | The destination IP address range. | The IPv4 address range is supported. |
Ipv6DestCidrIp | String | No | No | The destination IPv6 CIDR block. | IPv6 addresses are also supported. IP addresses must be of the virtual private cloud (VPC) type. |
Ipv6SourceCidrIp | String | No | No | The source IPv6 CIDR block. | IPv6 addresses are also supported. IP addresses must be of the VPC type. |
NicType | String | No | No | The type of the network interface controller (NIC). | Valid values:
If you specify DestGroupId but leave DestCidrIp empty to configure mutual access between security groups, you must set NicType to intranet. |
Policy | String | No | No | The rule action that determines whether to allow access. | Valid values:
|
Priority | Integer | No | No | The priority of the rule. | Valid values: 1 to 100. Default value: 1. |
SourceCidrIp | String | No | No | The source IPv4 address range. | Only the IPv4 address range is supported. |
SourceGroupId | String | No | No | The ID of the source security group to be referenced in the rule. | You must specify at least one of SourceGroupId and SourceCidrIp. If you specify SourceGroupId but leave SourceCidrIp empty, you must set NicType to intranet. If you specify both SourceGroupId and SourceCidrIp, the value of SourceCidrIp takes precedence by default. |
SourceGroupOwnerAccount | String | No | No | The email address of the Alibaba Cloud account to which the source security group belongs. | Example: T***@example.com. |
SourceGroupOwnerId | String | No | No | The ID of the Alibaba Cloud account to which the source security group belongs when you configure the rule across accounts. | If you leave SourceGroupOwnerId empty, the rule is created to control access to another security group within your Alibaba Cloud account by default. If you specify SourceCidrIp, the value of SourceGroupOwnerId is ignored. |
SourcePortRange | String | No | No | The range of port numbers that correspond to the transport layer protocol of the source security group. |
|
SourcePrefixListId | String | No | No | The ID of the source prefix list to be referenced in the rule. | You can call the DescribePrefixLists operation to query the IDs of available prefix lists. If a security group is in the classic network, you cannot reference prefix lists in the security group rule. For more information, see Security group limits. If you specify one of SourceCidrIp, Ipv6SourceCidrIp, and SourceGroupId, the value of SourcePrefixListId is ignored. |
Return values
Fn::GetAtt
None.
Examples
YAML format
ROSTemplateFormatVersion: '2015-09-01'
Parameters:
SecurityGroupId:
AssociationPropertyMetadata:
VpcId: ${VpcId}
AssociationProperty: ALIYUN::ECS::SecurityGroup::SecurityGroupId
Type: String
Description:
en: Id of the security group.
Required: true
Permissions:
AssociationPropertyMetadata:
Parameters:
Policy:
Type: String
Description:
en: 'Authorization policies, parameter values can be: accept (accepted access), drop (denied access). Default value is accept.'
AllowedValues:
- accept
- drop
Required: false
SourceGroupId:
Type: String
Description:
en: Source Group Id
Required: false
Description:
AssociationProperty: TextArea
Type: String
Description:
en: Description of the security group rule, [1, 512] characters. The default is empty.
Required: false
MinLength: 1
MaxLength: 512
SourcePortRange:
Type: String
Description:
en: 'The range of the ports enabled by the source security group for the transport layer protocol. Valid values: TCP/UDP: Value range: 1 to 65535. The start port and the end port are separated by a slash (/). Correct example: 1/200. Incorrect example: 200/1.ICMP: -1/-1.GRE: -1/-1.ALL: -1/-1.'
Required: false
Priority:
Type: Number
Description:
en: Authorization policies priority range[1, 100]
Required: false
MinValue: 1
MaxValue: 100
Default: 1
SourceGroupOwnerId:
Type: String
Description:
en: Source Group Owner Account ID
Required: false
Ipv6SourceCidrIp:
Type: String
Description:
en: |-
Source IPv6 CIDR address segment. Supports IP address ranges in CIDR format and IPv6 format.
Note Only VPC type IP addresses are supported.
Required: false
NicType:
Type: String
Description:
en: Network type, could be 'internet' or 'intranet'. Default value is internet.
AllowedValues:
- internet
- intranet
Required: false
PortRange:
Type: String
Description:
en: Ip protocol relative port range. For tcp and udp, the port rang is [1,65535], using format '1/200'For icmp|gre|all protocel, the port range should be '-1/-1'
Required: true
SourceCidrIp:
Type: String
Description:
en: The source IPv4 CIDR block to which you want to control access. CIDR blocks and IPv4 addresses are supported.
Required: false
IpProtocol:
Type: String
Description:
en: Ip protocol for in rule.
AllowedValues:
- tcp
- udp
- icmp
- gre
- all
- icmpv6
Required: true
DestCidrIp:
Type: String
Description:
en: The destination IPv4 CIDR block to which you want to control access. CIDR blocks and IPv4 addresses are supported.
Required: false
SourceGroupOwnerAccount:
Type: String
Description:
en: Source Group Owner Account
Required: false
Ipv6DestCidrIp:
Type: String
Description:
en: Destination IPv6 CIDR address block for which access rights need to be set. CIDR format and IPv6 format IP address range are supported.
Required: false
SourcePrefixListId:
Type: String
Description:
en: |-
The ID of the source prefix list to which you want to control access. You can call the DescribePrefixLists operation to query the IDs of available prefix lists. Take note of the following items:
- If a security group is in the classic network, you cannot configure prefix lists in the security group rules.
- If you specify the SourceCidrIp, Ipv6SourceCidrIp, or SourceGroupId parameter, this parameter is ignored.
Required: false
AssociationProperty: List[Parameters]
Type: Json
Description:
en: A list of security group rules. A hundred at most.
Required: true
MaxLength: 100
Resources:
SecurityGroupIngresses:
Type: ALIYUN::ECS::SecurityGroupIngresses
Properties:
SecurityGroupId:
Ref: SecurityGroupId
Permissions:
Ref: Permissions
JSON format
{
"ROSTemplateFormatVersion": "2015-09-01",
"Parameters": {
"SecurityGroupId": {
"AssociationPropertyMetadata": {
"VpcId": "${VpcId}"
},
"AssociationProperty": "ALIYUN::ECS::SecurityGroup::SecurityGroupId",
"Type": "String",
"Description": {
"en": "Id of the security group."
},
"Required": true
},
"Permissions": {
"AssociationPropertyMetadata": {
"Parameters": {
"Policy": {
"Type": "String",
"Description": {
"en": "Authorization policies, parameter values can be: accept (accepted access), drop (denied access). Default value is accept."
},
"AllowedValues": [
"accept",
"drop"
],
"Required": false
},
"SourceGroupId": {
"Type": "String",
"Description": {
"en": "Source Group Id"
},
"Required": false
},
"Description": {
"AssociationProperty": "TextArea",
"Type": "String",
"Description": {
"en": "Description of the security group rule, [1, 512] characters. The default is empty."
},
"Required": false,
"MinLength": 1,
"MaxLength": 512
},
"SourcePortRange": {
"Type": "String",
"Description": {
"en": "The range of the ports enabled by the source security group for the transport layer protocol. Valid values: TCP/UDP: Value range: 1 to 65535. The start port and the end port are separated by a slash (/). Correct example: 1/200. Incorrect example: 200/1.ICMP: -1/-1.GRE: -1/-1.ALL: -1/-1."
},
"Required": false
},
"Priority": {
"Type": "Number",
"Description": {
"en": "Authorization policies priority range[1, 100]"
},
"Required": false,
"MinValue": 1,
"MaxValue": 100,
"Default": 1
},
"SourceGroupOwnerId": {
"Type": "String",
"Description": {
"en": "Source Group Owner Account ID"
},
"Required": false
},
"Ipv6SourceCidrIp": {
"Type": "String",
"Description": {
"en": "Source IPv6 CIDR address segment. Supports IP address ranges in CIDR format and IPv6 format.\nNote Only VPC type IP addresses are supported."
},
"Required": false
},
"NicType": {
"Type": "String",
"Description": {
"en": "Network type, could be 'internet' or 'intranet'. Default value is internet."
},
"AllowedValues": [
"internet",
"intranet"
],
"Required": false
},
"PortRange": {
"Type": "String",
"Description": {
"en": "Ip protocol relative port range. For tcp and udp, the port rang is [1,65535], using format '1/200'For icmp|gre|all protocel, the port range should be '-1/-1'"
},
"Required": true
},
"SourceCidrIp": {
"Type": "String",
"Description": {
"en": "The source IPv4 CIDR block to which you want to control access. CIDR blocks and IPv4 addresses are supported."
},
"Required": false
},
"IpProtocol": {
"Type": "String",
"Description": {
"en": "Ip protocol for in rule."
},
"AllowedValues": [
"tcp",
"udp",
"icmp",
"gre",
"all",
"icmpv6"
],
"Required": true
},
"DestCidrIp": {
"Type": "String",
"Description": {
"en": "The destination IPv4 CIDR block to which you want to control access. CIDR blocks and IPv4 addresses are supported."
},
"Required": false
},
"SourceGroupOwnerAccount": {
"Type": "String",
"Description": {
"en": "Source Group Owner Account"
},
"Required": false
},
"Ipv6DestCidrIp": {
"Type": "String",
"Description": {
"en": "Destination IPv6 CIDR address block for which access rights need to be set. CIDR format and IPv6 format IP address range are supported."
},
"Required": false
},
"SourcePrefixListId": {
"Type": "String",
"Description": {
"en": "The ID of the source prefix list to which you want to control access. You can call the DescribePrefixLists operation to query the IDs of available prefix lists. Take note of the following items:\n- If a security group is in the classic network, you cannot configure prefix lists in the security group rules.\n- If you specify the SourceCidrIp, Ipv6SourceCidrIp, or SourceGroupId parameter, this parameter is ignored."
},
"Required": false
}
}
},
"AssociationProperty": "List[Parameters]",
"Type": "Json",
"Description": {
"en": "A list of security group rules. A hundred at most."
},
"Required": true,
"MaxLength": 100
}
},
"Resources": {
"SecurityGroupIngresses": {
"Type": "ALIYUN::ECS::SecurityGroupIngresses",
"Properties": {
"SecurityGroupId": {
"Ref": "SecurityGroupId"
},
"Permissions": {
"Ref": "Permissions"
}
}
}
}
}