All Products
Search
Document Center

Resource Orchestration Service:ALIYUN::ENS::SecurityGroup

Last Updated:May 29, 2024

ALIYUN::ENS::SecurityGroup is used to create a security group.

Syntax

{
  "Type": "ALIYUN::ENS::SecurityGroup",
  "Properties": {
    "Description": String,
    "SecurityGroupName": String,
    "SecurityGroupIngress": List,
    "SecurityGroupEgress": List
  }
}

Properties

Property

Type

Required

Editable

Description

Constraint

Description

String

No

Yes

The description.

The description must be 2 to 256 characters in length. It must start with a letter and cannot start with http:// or https://.

SecurityGroupEgress

List

No

Yes

The outbound rule configurations of the security group.

For more information, see SecurityGroupEgress properties.

SecurityGroupIngress

List

No

Yes

The inbound rule configurations of the security group.

For more information, see SecurityGroupIngress properties.

SecurityGroupName

String

No

Yes

The name of the security group.

The name must be 2 to 128 characters in length. It must start with a letter and cannot start with http:// or https://. The name can contain letters, digits, colons (:), underscores (_), and hyphens (-). By default, this property is empty.

SecurityGroupIngress syntax

"SecurityGroupIngress": [
  {
    "Policy": String,
    "PortRange": String,
    "SourcePortRange": String,
    "Priority": Integer,
    "SourceCidrIp": String,
    "IpProtocol": String
  }
]

SecurityGroupIngress properties

Property

Type

Required

Editable

Description

Constraint

IpProtocol

String

Yes

No

The transport layer protocol that the security group rule supports.

The value of this property is case-sensitive. Valid values:

  • tcp: supports Transmission Control Protocol (TCP).

  • udp: supports User Datagram Protocol (UDP).

  • icmp: supports Internet Control Message Protocol (ICMP).

  • gre: supports Generic Routing Encapsulation (GRE).

  • all: supports all protocols.

PortRange

String

Yes

No

The range of port numbers that correspond to the transport layer protocol of the security group.

  • Value format when IpProtocol is set to tcp or udp: X/Y. X specifies the start port number and Y specifies the end port number. X and Y range from 1 to 65535. Separate X and Y with a forward slash (/). For example, 1/200 is a valid value, and 200/1 is an invalid value.

  • Valid value when IpProtocol is set to icmp: -1/-1.

  • Valid value when IpProtocol is set to gre: -1/-1.

  • Valid value when IpProtocol is set to all: -1/-1.

Policy

String

No

No

The action that determines whether to allow access.

Valid values:

  • accept (default): allows access.

  • drop: denies access and does not return responses.

Priority

Integer

No

No

The priority of the security group rule.

Valid values: 1 to 100.

Default value: 1.

SourceCidrIp

String

No

No

The source IP address range.

IPv4 CIDR blocks and IPv4 addresses are supported.

SourcePortRange

String

No

No

The range of port numbers that correspond to the transport layer protocol of the source security group.

  • Value format when IpProtocol is set to tcp or udp: X/Y. X specifies the start port number and Y specifies the end port number. X and Y range from 1 to 65535. Separate X and Y with a forward slash (/). For example, 1/200 is a valid value, and 200/1 is an invalid value.

  • Valid value when IpProtocol is set to icmp: -1/-1.

  • Valid value when IpProtocol is set to gre: -1/-1.

  • Valid value when IpProtocol is set to all: -1/-1.

SecurityGroupEgress syntax

"SecurityGroupEgress": [
  {
    "Policy": String,
    "PortRange": String,
    "SourcePortRange": String,
    "Priority": Integer,
    "IpProtocol": String,
    "DestCidrIp": String
  }
]

SecurityGroupEgress properties

Property

Type

Required

Editable

Description

Constraint

IpProtocol

String

Yes

No

The transport layer protocol that the security group rule supports.

The value of this property is case-sensitive. Valid values:

  • tcp: supports TCP.

  • udp: supports UDP.

  • icmp: supports ICMP.

  • gre: supports GRE.

  • all: supports all protocols.

PortRange

String

Yes

No

The range of port numbers that correspond to the transport layer protocol of the security group.

  • Value format when IpProtocol is set to tcp or udp: X/Y. X specifies the start port number and Y specifies the end port number. X and Y range from 1 to 65535. Separate X and Y with a forward slash (/). For example, 1/200 is a valid value, and 200/1 is an invalid value.

  • Valid value when IpProtocol is set to icmp: -1/-1.

  • Valid value when IpProtocol is set to gre: -1/-1.

  • Valid value when IpProtocol is set to all: -1/-1.

DestCidrIp

String

No

No

The destination IP address range.

IPv4 CIDR blocks and IPv4 addresses are supported.

Policy

String

No

No

The action that determines whether to allow access.

Valid values:

  • accept (default): allows access.

  • drop: denies access and does not return responses.

Priority

Integer

No

No

The priority of the security group rule.

Valid values: 1 to 100. Default value: 1.

SourcePortRange

String

No

No

The range of port numbers that correspond to the transport layer protocol of the source security group.

Valid values:

  • Value format when IpProtocol is set to tcp or udp: X/Y. X specifies the start port number and Y specifies the end port number. X and Y range from 1 to 65535. Separate X and Y with a forward slash (/). For example, 1/200 is a valid value, and 200/1 is an invalid value.

  • Valid value when IpProtocol is set to icmp: -1/-1.

  • Valid value when IpProtocol is set to gre: -1/-1.

  • Valid value when IpProtocol is set to all: -1/-1.

Return values

Fn::GetAtt

SecurityGroupId: the ID of the security group.

Examples

YAML format

ROSTemplateFormatVersion: '2015-09-01'
Parameters:
  SecurityGroupName:
    Type: String
    Description:
      en: The name of the security group. The name must be 2 to 128 characters in length. The name must start with a letter and cannot start with http:// or https://. It can contain letters, digits, colons (:), underscores (_), and hyphens (-). By default, this parameter is empty.
    Required: false
  SecurityGroupIngress:
    AssociationPropertyMetadata:
      Parameters:
        Policy:
          Type: String
          Description:
            en: 'Authorization policies, parameter values can be: accept (accepted access), drop (denied access). Default value is accept.'
          AllowedValues:
            - accept
            - drop
          Required: false
        PortRange:
          Type: String
          Description:
            en: Ip protocol relative port range. For tcp and udp, the port rang is [1,65535], using format '1/200'For icmp|gre|all protocel, the port range should be '-1/-1'
          Required: true
        SourcePortRange:
          Type: String
          Description:
            en: 'The range of the ports enabled by the source security group for the transport layer protocol. Valid values: TCP/UDP: Value range: 1 to 65535. The start port and the end port are separated by a slash (/). Correct example: 1/200. Incorrect example: 200/1.ICMP: -1/-1.GRE: -1/-1.ALL: -1/-1.'
          Required: false
        Priority:
          Type: Number
          Description:
            en: Authorization policies priority range[1, 100]
          Required: false
          MinValue: 1
          MaxValue: 100
          Default: 1
        SourceCidrIp:
          Type: String
          Description:
            en: Source CIDR Ip Address range.
          Required: false
        IpProtocol:
          Type: String
          Description:
            en: Ip protocol for in rule.
          AllowedValues:
            - tcp
            - udp
            - icmp
            - gre
            - all
          Required: true
    AssociationProperty: List[Parameters]
    Type: Json
    Description:
      en: Ingress rules for the security group.
    Required: false
  SecurityGroupEgress:
    AssociationPropertyMetadata:
      Parameters:
        Policy:
          Type: String
          Description:
            en: 'Authorization policies, parameter values can be: accept (accepted access), drop (denied access). Default value is accept.'
          AllowedValues:
            - accept
            - drop
          Required: false
        PortRange:
          Type: String
          Description:
            en: Ip protocol relative port range. For tcp and udp, the port rang is [1,65535], using format '1/200'For icmp|gre|all protocel, the port range should be '-1/-1'
          Required: true
        SourcePortRange:
          Type: String
          Description:
            en: 'The range of the ports enabled by the source security group for the transport layer protocol. Valid values: TCP/UDP: Value range: 1 to 65535. The start port and the end port are separated by a slash (/). Correct example: 1/200. Incorrect example: 200/1.ICMP: -1/-1.GRE: -1/-1.ALL: -1/-1.'
          Required: false
        Priority:
          Type: Number
          Description:
            en: Authorization policies priority range[1, 100]
          Required: false
          MinValue: 1
          MaxValue: 100
          Default: 1
        IpProtocol:
          Type: String
          Description:
            en: Ip protocol for in rule.
          AllowedValues:
            - tcp
            - udp
            - icmp
            - gre
            - all
          Required: true
        DestCidrIp:
          Type: String
          Description:
            en: Dest CIDR Ip Address range.
          Required: false
    AssociationProperty: List[Parameters]
    Type: Json
    Description:
      en: egress rules for the security group.
    Required: false
Resources:
  SecurityGroup:
    Type: ALIYUN::ENS::SecurityGroup
    Properties:
      SecurityGroupName:
        Ref: SecurityGroupName
      SecurityGroupIngress:
        Ref: SecurityGroupIngress
      SecurityGroupEgress:
        Ref: SecurityGroupEgress
Outputs:
  SecurityGroupId:
    Description: The ID of the security group.
    Value:
      Fn::GetAtt:
        - SecurityGroup
        - SecurityGroupId

JSON format

{
  "ROSTemplateFormatVersion": "2015-09-01",
  "Parameters": {
    "SecurityGroupName": {
      "Type": "String",
      "Description": {
        "en": "The name of the security group. The name must be 2 to 128 characters in length. The name must start with a letter and cannot start with http:// or https://. It can contain letters, digits, colons (:), underscores (_), and hyphens (-). By default, this parameter is empty."
      },
      "Required": false
    },
    "SecurityGroupIngress": {
      "AssociationPropertyMetadata": {
        "Parameters": {
          "Policy": {
            "Type": "String",
            "Description": {
              "en": "Authorization policies, parameter values can be: accept (accepted access), drop (denied access). Default value is accept."
            },
            "AllowedValues": [
              "accept",
              "drop"
            ],
            "Required": false
          },
          "PortRange": {
            "Type": "String",
            "Description": {
              "en": "Ip protocol relative port range. For tcp and udp, the port rang is [1,65535], using format '1/200'For icmp|gre|all protocel, the port range should be '-1/-1'"
            },
            "Required": true
          },
          "SourcePortRange": {
            "Type": "String",
            "Description": {
              "en": "The range of the ports enabled by the source security group for the transport layer protocol. Valid values: TCP/UDP: Value range: 1 to 65535. The start port and the end port are separated by a slash (/). Correct example: 1/200. Incorrect example: 200/1.ICMP: -1/-1.GRE: -1/-1.ALL: -1/-1."
            },
            "Required": false
          },
          "Priority": {
            "Type": "Number",
            "Description": {
              "en": "Authorization policies priority range[1, 100]"
            },
            "Required": false,
            "MinValue": 1,
            "MaxValue": 100,
            "Default": 1
          },
          "SourceCidrIp": {
            "Type": "String",
            "Description": {
              "en": "Source CIDR Ip Address range."
            },
            "Required": false
          },
          "IpProtocol": {
            "Type": "String",
            "Description": {
              "en": "Ip protocol for in rule."
            },
            "AllowedValues": [
              "tcp",
              "udp",
              "icmp",
              "gre",
              "all"
            ],
            "Required": true
          }
        }
      },
      "AssociationProperty": "List[Parameters]",
      "Type": "Json",
      "Description": {
        "en": "Ingress rules for the security group."
      },
      "Required": false
    },
    "SecurityGroupEgress": {
      "AssociationPropertyMetadata": {
        "Parameters": {
          "Policy": {
            "Type": "String",
            "Description": {
              "en": "Authorization policies, parameter values can be: accept (accepted access), drop (denied access). Default value is accept."
            },
            "AllowedValues": [
              "accept",
              "drop"
            ],
            "Required": false
          },
          "PortRange": {
            "Type": "String",
            "Description": {
              "en": "Ip protocol relative port range. For tcp and udp, the port rang is [1,65535], using format '1/200'For icmp|gre|all protocel, the port range should be '-1/-1'"
            },
            "Required": true
          },
          "SourcePortRange": {
            "Type": "String",
            "Description": {
              "en": "The range of the ports enabled by the source security group for the transport layer protocol. Valid values: TCP/UDP: Value range: 1 to 65535. The start port and the end port are separated by a slash (/). Correct example: 1/200. Incorrect example: 200/1.ICMP: -1/-1.GRE: -1/-1.ALL: -1/-1."
            },
            "Required": false
          },
          "Priority": {
            "Type": "Number",
            "Description": {
              "en": "Authorization policies priority range[1, 100]"
            },
            "Required": false,
            "MinValue": 1,
            "MaxValue": 100,
            "Default": 1
          },
          "IpProtocol": {
            "Type": "String",
            "Description": {
              "en": "Ip protocol for in rule."
            },
            "AllowedValues": [
              "tcp",
              "udp",
              "icmp",
              "gre",
              "all"
            ],
            "Required": true
          },
          "DestCidrIp": {
            "Type": "String",
            "Description": {
              "en": "Dest CIDR Ip Address range."
            },
            "Required": false
          }
        }
      },
      "AssociationProperty": "List[Parameters]",
      "Type": "Json",
      "Description": {
        "en": "egress rules for the security group."
      },
      "Required": false
    }
  },
  "Resources": {
    "SecurityGroup": {
      "Type": "ALIYUN::ENS::SecurityGroup",
      "Properties": {
        "SecurityGroupName": {
          "Ref": "SecurityGroupName"
        },
        "SecurityGroupIngress": {
          "Ref": "SecurityGroupIngress"
        },
        "SecurityGroupEgress": {
          "Ref": "SecurityGroupEgress"
        }
      }
    }
  },
  "Outputs": {
    "SecurityGroupId": {
      "Description": "The ID of the security group.",
      "Value": {
        "Fn::GetAtt": [
          "SecurityGroup",
          "SecurityGroupId"
        ]
      }
    }
  }
}