ALIYUN::CLOUDFW::ControlPolicy is used to add an access control policy.
Syntax
{
"Type": "ALIYUN::CLOUDFW::ControlPolicy",
"Properties": {
"ApplicationName": String,
"DestPortType": String,
"Direction": String,
"Destination": String,
"Description": String,
"Proto": String,
"AclAction": String,
"Source": String,
"SourceType": String,
"DestinationType": String,
"NewOrder": Integer,
"DestPort": String,
"RegionId": String,
"DestPortGroup": String
}
}
Properties
Property | Type | Required | Editable | Description | Constraint |
AclAction | String | Yes | Yes | The action that Cloud Firewall performs on the traffic. | Valid values:
|
ApplicationName | String | Yes | Yes | The types of the applications that the access control policy supports. | Valid values:
|
Description | String | Yes | Yes | The description of the access control policy. | None. |
Destination | String | Yes | Yes | The destination address in the access control policy. | Valid values:
|
DestinationType | String | Yes | Yes | The type of the destination address in the access control policy. | Valid values:
|
Direction | String | Yes | No | The traffic direction to which the access control policy is applied. | Valid values:
|
NewOrder | Integer | Yes | Yes | The priority of the access control policy. | The number in the priority value starts from 1. A smaller positive value among all positive values indicates a higher priority. Important A value of 1 indicates the highest priority. A value of -1 indicates the lowest priority. |
Proto | String | Yes | Yes | The types of the protocols in the access control policy. | Valid values:
|
Source | String | Yes | Yes | The source address in the access control policy. | Valid values:
|
SourceType | String | Yes | Yes | The type of the source address in the access control policy. | Valid values:
|
DestPort | String | No | Yes | The destination port in the access control policy. | You must specify this property when DestPortType is set to port. |
DestPortGroup | String | No | Yes | The name of the destination port address book in the access control policy. | You must specify this property when DestPortType is set to group. |
DestPortType | String | No | Yes | The type of the destination port in the access control policy. | Valid values:
|
RegionId | String | No | No | The region ID. | Valid values:
|
Location codes
Categories of location codes
Category | Code |
Locations in China | ZD |
Locations outside China | ZB |
Codes of locations in China
Location | Code |
Beijing | BJ11 |
Tianjin | TJ12 |
Hebei | HB13 |
Shanxi | SX14 |
Liaoning | LN21 |
Jilin | JL22 |
Shanghai | SH31 |
Jiangsu | JS32 |
Zhejiang | ZJ33 |
Anhui | AH34 |
Fujian | FJ35 |
Jiangxi | JX36 |
Shandong | SD37 |
Henan | HN41 |
Hubei | HB42 |
Hunan | HN43 |
Guangdong | GD44 |
Hainan | HN46 |
Chongqing | CQ50 |
Sichuan | SC51 |
Guizhou | GZ52 |
Yunnan | YN53 |
Shaanxi | SX61 |
Gansu | GS62 |
Qinghai | QH63 |
Heilongjiang | HLJ23 |
Tibet | XZ54 |
Guangxi | GX45 |
Inner Mongolia | NMG15 |
Ningxia | NX64 |
Xinjiang | XJ65 |
Taiwan (China) | TW |
Hong Kong (China) | HK |
Macao (China) | MO |
Codes of locations outside China
Location | Code |
Asia (except China) | ZC |
Europe | EU |
Africa | AF |
North America | NA |
South America | LA |
Oceania | OA |
Antarctica | AQ |
Return values
Fn::GetAtt
AclUuid: the unique ID of the access control policy.
Examples
YAML
format
ROSTemplateFormatVersion: '2015-09-01'
Resources:
ControlPolicy:
Type: ALIYUN::CLOUDFW::ControlPolicy
Properties:
ApplicationName:
Ref: ApplicationName
DestPortType:
Ref: DestPortType
Direction:
Ref: Direction
AclAction:
Ref: AclAction
Description:
Ref: Description
Proto:
Ref: Proto
Destination:
Ref: Destination
Source:
Ref: Source
DestinationType:
Ref: DestinationType
NewOrder:
Ref: NewOrder
DestPortGroup:
Ref: DestPortGroup
DestPort:
Ref: DestPort
RegionId:
Ref: RegionId
SourceType:
Ref: SourceType
Parameters:
ApplicationName:
Type: String
Description: 'Application types supported by the security policy. The following
types of applications are supported: ANY, HTTP, HTTPS, MySQL, SMTP, SMTPS, RDP,
VNC, SSH, Redis, MQTT, MongoDB, Memcache, SSL. NOTE ANY indicates that the policy
is applied to all types of applications.'
AllowedValues:
- ANY
- HTTP
- HTTPS
- MQTT
- Memcache
- MongoDB
- MySQL
- RDP
- Redis
- SMTP
- SMTPS
- SSH
- SSL
- VNC
DestPortType:
Type: String
Description: 'Security access control policy access destination port traffic type.
port: Port group: port address book'
AllowedValues:
- group
- port
Direction:
Type: String
Description: 'Security access control traffic direction policies. in: internal
and external traffic access control. out: within the flow of external access
control'
AllowedValues:
- in
- out
AclAction:
Type: String
Description: 'Traffic access control policy set by the cloud of a firewall. accept:
Release. drop: rejected. log: Observation'
AllowedValues:
- accept
- drop
- log
Description:
MinLength: 1
Type: String
Description: Security access control policy description information.
Proto:
Type: String
Description: 'The type of security protocol for traffic access in the security
access control policy. Can be set to ANY when you are not sure of the specific
protocol type. Allowed values: ANY, TCP, UDP, ICMP'
AllowedValues:
- ANY
- ICMP
- TCP
- UDP
Destination:
MinLength: 1
Type: String
Description: 'Security Access Control destination address policy. When DestinationType
is net, Destination purpose CIDR. For example: 192.168.XX.XX/24. When DestinationType
as a group, Destination for the purpose of the address book name. For example:
db_group. When DestinationType for the domain, Destination for the purpose of
a domain name. For example:. * example.com. When DestinationType as location,
Destination area for the purpose (see below position encoding specific regions).
For example: [ "BJ11", "ZB"]'
Source:
MinLength: 1
Type: String
Description: 'Security access control source address policy. When SourceType for
the net, Source is the source CIDR. For example: 192.168.XX.XX/24. When SourceType
as a group, Source name for the source address book. For example: db_group.
When SourceType as location, Source source region (specific region position
encoder see below). For example, [ "BJ11", "ZB"]'
DestinationType:
Type: String
Description: 'Security Access Control destination address type of policy. net:
Destination network segment (CIDR). group: destination address book. domain:
The purpose domain. location: The purpose area'
AllowedValues:
- domain
- group
- location
- net
NewOrder:
Type: Number
Description: Security access control priority policy in force. Priority number
increments sequentially from 1, lower the priority number, the higher the priority.
Description -1 indicates the lowest priority.
MinValue: -1
DestPortGroup:
Type: String
Description: Security access control policy access traffic destination port address
book name. Description DestPortType is group, set the item.
DestPort:
Type: String
Description: Security access control policy access traffic destination port. Note
When DestPortType to port, set the item.
RegionId:
Default: cn-hangzhou
Type: String
Description: Region ID. Default to cn-hangzhou.
AllowedValues:
- cn-hangzhou
- ap-southeast-1
SourceType:
Type: String
Description: 'Security access control source address type of policy. net: Source
segment (CIDR). group: source address book. location: the source area'
AllowedValues:
- group
- location
- net
Outputs:
AclUuid:
Description: Security access control ID that uniquely identifies the policy.
Value:
Fn::GetAtt:
- ControlPolicy
- AclUuid
JSON
format
{
"ROSTemplateFormatVersion": "2015-09-01",
"Resources": {
"ControlPolicy": {
"Type": "ALIYUN::CLOUDFW::ControlPolicy",
"Properties": {
"ApplicationName": {
"Ref": "ApplicationName"
},
"DestPortType": {
"Ref": "DestPortType"
},
"Direction": {
"Ref": "Direction"
},
"AclAction": {
"Ref": "AclAction"
},
"Description": {
"Ref": "Description"
},
"Proto": {
"Ref": "Proto"
},
"Destination": {
"Ref": "Destination"
},
"Source": {
"Ref": "Source"
},
"DestinationType": {
"Ref": "DestinationType"
},
"NewOrder": {
"Ref": "NewOrder"
},
"DestPortGroup": {
"Ref": "DestPortGroup"
},
"DestPort": {
"Ref": "DestPort"
},
"RegionId": {
"Ref": "RegionId"
},
"SourceType": {
"Ref": "SourceType"
}
}
}
},
"Parameters": {
"ApplicationName": {
"Type": "String",
"Description": "Application types supported by the security policy. The following types of applications are supported: ANY, HTTP, HTTPS, MySQL, SMTP, SMTPS, RDP, VNC, SSH, Redis, MQTT, MongoDB, Memcache, SSL. NOTE ANY indicates that the policy is applied to all types of applications.",
"AllowedValues": [
"ANY",
"HTTP",
"HTTPS",
"MQTT",
"Memcache",
"MongoDB",
"MySQL",
"RDP",
"Redis",
"SMTP",
"SMTPS",
"SSH",
"SSL",
"VNC"
]
},
"DestPortType": {
"Type": "String",
"Description": "Security access control policy access destination port traffic type. port: Port group: port address book",
"AllowedValues": [
"group",
"port"
]
},
"Direction": {
"Type": "String",
"Description": "Security access control traffic direction policies. in: internal and external traffic access control. out: within the flow of external access control",
"AllowedValues": [
"in",
"out"
]
},
"AclAction": {
"Type": "String",
"Description": "Traffic access control policy set by the cloud of a firewall. accept: Release. drop: rejected. log: Observation",
"AllowedValues": [
"accept",
"drop",
"log"
]
},
"Description": {
"MinLength": 1,
"Type": "String",
"Description": "Security access control policy description information."
},
"Proto": {
"Type": "String",
"Description": "The type of security protocol for traffic access in the security access control policy. Can be set to ANY when you are not sure of the specific protocol type. Allowed values: ANY, TCP, UDP, ICMP",
"AllowedValues": [
"ANY",
"ICMP",
"TCP",
"UDP"
]
},
"Destination": {
"MinLength": 1,
"Type": "String",
"Description": "Security Access Control destination address policy. When DestinationType is net, Destination purpose CIDR. For example: 192.168.XX.XX/24. When DestinationType as a group, Destination for the purpose of the address book name. For example: db_group. When DestinationType for the domain, Destination for the purpose of a domain name. For example:. * example.com. When DestinationType as location, Destination area for the purpose (see below position encoding specific regions). For example: [ \"BJ11\", \"ZB\"]"
},
"Source": {
"MinLength": 1,
"Type": "String",
"Description": "Security access control source address policy. When SourceType for the net, Source is the source CIDR. For example: 192.168.XX.XX/24. When SourceType as a group, Source name for the source address book. For example: db_group. When SourceType as location, Source source region (specific region position encoder see below). For example, [ \"BJ11\", \"ZB\"]"
},
"DestinationType": {
"Type": "String",
"Description": "Security Access Control destination address type of policy. net: Destination network segment (CIDR). group: destination address book. domain: The purpose domain. location: The purpose area",
"AllowedValues": [
"domain",
"group",
"location",
"net"
]
},
"NewOrder": {
"Type": "Number",
"Description": "Security access control priority policy in force. Priority number increments sequentially from 1, lower the priority number, the higher the priority. Description -1 indicates the lowest priority.",
"MinValue": -1
},
"DestPortGroup": {
"Type": "String",
"Description": "Security access control policy access traffic destination port address book name. Description DestPortType is group, set the item."
},
"DestPort": {
"Type": "String",
"Description": "Security access control policy access traffic destination port. Note When DestPortType to port, set the item."
},
"RegionId": {
"Default": "cn-hangzhou",
"Type": "String",
"Description": "Region ID. Default to cn-hangzhou.",
"AllowedValues": [
"cn-hangzhou",
"ap-southeast-1"
]
},
"SourceType": {
"Type": "String",
"Description": "Security access control source address type of policy. net: Source segment (CIDR). group: source address book. location: the source area",
"AllowedValues": [
"group",
"location",
"net"
]
}
},
"Outputs": {
"AclUuid": {
"Description": "Security access control ID that uniquely identifies the policy.",
"Value": {
"Fn::GetAtt": [
"ControlPolicy",
"AclUuid"
]
}
}
}
}