All Products
Search
Document Center

Resource Orchestration Service:ALIYUN::ECS::SecurityGroupEgresses

最終更新日:Jun 05, 2024

ALIYUN::ECS::SecurityGroupEgresses is used to associate multiple outbound rules with a security group at a time.

Syntax

{
  "Type": "ALIYUN::ECS::SecurityGroupEgresses",
  "Properties": {
    "SecurityGroupId": String,
    "Permissions": List
  }
}

Properties

Property

Type

Required

Editable

Description

Constraint

Permissions

List

Yes

Yes

The configurations of the outbound rules that you want to associate with the security group.

You can associate up to 100 outbound rules. For more information, see Permissions properties.

SecurityGroupId

String

Yes

No

The ID of the source security group.

None.

Permissions syntax

"Permissions": [
  {
    "Policy": String,
    "Description": String,
    "SourcePortRange": String,
    "Priority": Integer,
    "Ipv6SourceCidrIp": String,
    "NicType": String,
    "DestGroupId": String,
    "PortRange": String,
    "DestGroupOwnerAccount": String,
    "DestPrefixListId": String,
    "SourceCidrIp": String,
    "DestGroupOwnerId": String,
    "IpProtocol": String,
    "DestCidrIp": String,
    "Ipv6DestCidrIp": String
  }
]

Permissions properties

Property

Type

Required

Editable

Description

Constraint

IpProtocol

String

Yes

No

The transport layer protocol that the rule supports.

Valid values:

  • tcp: supports Transmission Control Protocol (TCP).

  • udp: supports User Datagram Protocol (UDP).

  • icmp: supports Internet Control Message Protocol (ICMP).

  • gre: supports Generic Routing Encapsulation (GRE).

  • all: supports all the preceding protocols.

PortRange

String

Yes

No

The range of port numbers that correspond to the transport layer protocol of the destination security group.

  • Value format when IpProtocol is set to tcp or udp: X/Y. X specifies the start port number and Y specifies the end port number. X and Y range from 1 to 65535. Separate X and Y with a forward slash (/). For example, 1/200 is a valid value, and 200/1 is an invalid value.

  • Valid value when IpProtocol is set to icmp: -1/-1.

  • Valid value when IpProtocol is set to gre: -1/-1.

  • Valid value when IpProtocol is set to all: -1/-1.

Description

String

No

No

The description of the rule.

The description must be 1 to 512 characters in length.

DestCidrIp

String

No

No

The destination IP address range.

The IPv4 address range is supported.

DestGroupId

String

No

No

The ID of the destination security group to be referenced in the rule.

You must specify at least one of DestGroupId and DestCidrIp.

If you specify DestGroupId but leave DestCidrIp empty, you must set NicType to intranet.

If you specify both DestGroupId and DestCidrIp, the value of DestCidrIp takes precedence.

DestGroupOwnerAccount

String

No

No

The email address of the Alibaba Cloud account to which the destination security group belongs.

Example: T***@example.com.

DestGroupOwnerId

String

No

No

The ID of the Alibaba Cloud account to which the destination security group belongs when you configure the rule across accounts.

If you leave DestGroupOwnerId empty, the rule is created to control access to another security group within your Alibaba Cloud account. If you specify DestCidrIp, the value of DestGroupOwnerId is ignored.

DestPrefixListId

String

No

No

The ID of the destination prefix list to be referenced in the rule.

You can call the DescribePrefixLists operation to query the IDs of available prefix lists.

If a security group is in the classic network, you cannot reference prefix lists in the security group rule. For more information, see Security group limits.

If you specify one of DestCidrIp, Ipv6DestCidrIp, and DestGroupId, the value of DestPrefixListId is ignored.

Ipv6DestCidrIp

String

No

No

The destination IPv6 CIDR block.

IPv6 addresses are also supported. IP addresses must be of the virtual private cloud (VPC) type.

Ipv6SourceCidrIp

String

No

No

The source IPv6 CIDR block.

IPv6 addresses are also supported. IP addresses must be of the VPC type.

NicType

String

No

No

The type of the network interface controller (NIC).

Valid values:

  • internet (default): public NIC

  • intranet: internal NIC

If you specify DestGroupId but leave DestCidrIp empty to configure mutual access between security groups, you must set NicType to intranet.

Policy

String

No

No

The rule action that determines whether to allow access.

Valid values:

  • accept (default): allows access.

  • drop: denies access.

Priority

Integer

No

No

The priority of the rule.

Valid values: 1 to 100.

Default value: 1.

SourceCidrIp

String

No

No

The source IPv4 address range.

Only the IPv4 address range is supported.

SourcePortRange

String

No

No

The range of port numbers that correspond to the transport layer protocol of the source security group.

  • Value format when IpProtocol is set to tcp or udp: X/Y. X specifies the start port number and Y specifies the end port number. X and Y range from 1 to 65535. Separate X and Y with a forward slash (/). For example, 1/200 is a valid value, and 200/1 is an invalid value.

  • Valid value when IpProtocol is set to icmp: -1/-1.

  • Valid value when IpProtocol is set to gre: -1/-1.

  • Valid value when IpProtocol is set to all: -1/-1.

Return values

Fn::GetAtt

None.

Examples

YAML format

ROSTemplateFormatVersion: '2015-09-01'
Parameters:
  SecurityGroupId:
    AssociationPropertyMetadata:
      VpcId: ${VpcId}
    AssociationProperty: ALIYUN::ECS::SecurityGroup::SecurityGroupId
    Type: String
    Description:
      en: Id of the security group.
    Required: true
  Permissions:
    AssociationPropertyMetadata:
      Parameters:
        Policy:
          Type: String
          Description:
            en: 'Authorization policies, parameter values can be: accept (accepted access), drop (denied access). Default value is accept.'
          AllowedValues:
            - accept
            - drop
          Required: false
        Description:
          AssociationProperty: TextArea
          Type: String
          Description:
            en: Description of the security group rule, [1, 512] characters. The default is empty.
          Required: false
          MinLength: 1
          MaxLength: 512
        SourcePortRange:
          Type: String
          Description:
            en: 'The range of the ports enabled by the source security group for the transport layer protocol. Valid values: TCP/UDP: Value range: 1 to 65535. The start port and the end port are separated by a slash (/). Correct example: 1/200. Incorrect example: 200/1.ICMP: -1/-1.GRE: -1/-1.ALL: -1/-1.'
          Required: false
        Priority:
          Type: Number
          Description:
            en: Authorization policies priority range[1, 100]
          Required: false
          MinValue: 1
          MaxValue: 100
          Default: 1
        Ipv6SourceCidrIp:
          Type: String
          Description:
            en: |-
              Source IPv6 CIDR address segment. Supports IP address ranges in CIDR format and IPv6 format.
              Note Only VPC type IP addresses are supported.
          Required: false
        NicType:
          Type: String
          Description:
            en: Network type, could be 'internet' or 'intranet'. Default value is internet.
          AllowedValues:
            - internet
            - intranet
          Required: false
        DestGroupId:
          Type: String
          Description:
            en: |-
              The destination security group ID to which access permissions need to be set.
              Set at least one of the DestGroupId, DestCidrIp, Ipv6DestCidrIp, or DestPrefixListId parameters.
              - If DestGroupId is specified without the DestCidrIp parameter, the NicType parameter can only take the value intranet.
              - If both DestGroupId and DestCidrIp are specified, DestCidrIp is assumed to prevail.
              You should pay attention to:
              - Enterprise Security groups do not support authorized security group access.
              - The maximum number of authorized security groups supported by ordinary security groups is 20.
          Required: false
        PortRange:
          Type: String
          Description:
            en: Ip protocol relative port range. For tcp and udp, the port rang is [1,65535], using format '1/200'For icmp|gre|all protocel, the port range should be '-1/-1'
          Required: true
        DestGroupOwnerAccount:
          Type: String
          Description:
            en: |-
              When setting security group rules across accounts, the Ali cloud account to which the destination security group belongs.
              - If neither DestGroupOwnerAccount nor DestGroupOwnerId is set, it is considered to set access permissions for your other security group.
              - If the parameter DestCidrIp has been set, the parameter DestGroupOwnerAccount is invalid.
          Required: false
        DestPrefixListId:
          Type: String
          Description:
            en: |-
              The ID of the destination prefix list to which you want to control access. You can call the DescribePrefixLists operation to query the IDs of available prefix lists. Take note of the following items:
              If a security group is in the classic network, you cannot configure prefix lists in the security group rules. For information about the limits on security groups and prefix lists, see the "Security group limits" in Limits.
              If you specify DestCidrIp, Ipv6DestCidrIp, or DestGroupId, DestPrefixListId is ignored.
          Required: false
        SourceCidrIp:
          Type: String
          Description:
            en: The source IPv4 CIDR block to which you want to control access. CIDR blocks and IPv4 addresses are supported.
          Required: false
        DestGroupOwnerId:
          Type: String
          Description:
            en: |-
              When setting security group rules across accounts, the Ali Cloud account ID of the destination security group.
              - If neither DestGroupOwnerId nor DestGroupOwnerAccount is set, it is considered to set the access rights of your other security group.
              - If you have set the parameter DestCidrIp, the parameter DestGroupOwnerId is invalid.
          Required: false
        IpProtocol:
          Type: String
          Description:
            en: Ip protocol for in rule.
          AllowedValues:
            - tcp
            - udp
            - icmp
            - gre
            - all
            - icmpv6
          Required: true
        DestCidrIp:
          Type: String
          Description:
            en: The destination IPv4 CIDR block to which you want to control access. CIDR blocks and IPv4 addresses are supported.
          Required: false
        Ipv6DestCidrIp:
          Type: String
          Description:
            en: Destination IPv6 CIDR address block for which access rights need to be set. CIDR format and IPv6 format IP address range are supported.
          Required: false
    AssociationProperty: List[Parameters]
    Type: Json
    Description:
      en: A list of security group rules. A hundred at most.
    Required: true
    MaxLength: 100
Resources:
  SecurityGroupEgresses:
    Type: ALIYUN::ECS::SecurityGroupEgresses
    Properties:
      SecurityGroupId:
        Ref: SecurityGroupId
      Permissions:
        Ref: Permissions

JSON format

{
  "ROSTemplateFormatVersion": "2015-09-01",
  "Parameters": {
    "SecurityGroupId": {
      "AssociationPropertyMetadata": {
        "VpcId": "${VpcId}"
      },
      "AssociationProperty": "ALIYUN::ECS::SecurityGroup::SecurityGroupId",
      "Type": "String",
      "Description": {
        "en": "Id of the security group."
      },
      "Required": true
    },
    "Permissions": {
      "AssociationPropertyMetadata": {
        "Parameters": {
          "Policy": {
            "Type": "String",
            "Description": {
              "en": "Authorization policies, parameter values can be: accept (accepted access), drop (denied access). Default value is accept."
            },
            "AllowedValues": [
              "accept",
              "drop"
            ],
            "Required": false
          },
          "Description": {
            "AssociationProperty": "TextArea",
            "Type": "String",
            "Description": {
              "en": "Description of the security group rule, [1, 512] characters. The default is empty."
            },
            "Required": false,
            "MinLength": 1,
            "MaxLength": 512
          },
          "SourcePortRange": {
            "Type": "String",
            "Description": {
              "en": "The range of the ports enabled by the source security group for the transport layer protocol. Valid values: TCP/UDP: Value range: 1 to 65535. The start port and the end port are separated by a slash (/). Correct example: 1/200. Incorrect example: 200/1.ICMP: -1/-1.GRE: -1/-1.ALL: -1/-1."
            },
            "Required": false
          },
          "Priority": {
            "Type": "Number",
            "Description": {
              "en": "Authorization policies priority range[1, 100]"
            },
            "Required": false,
            "MinValue": 1,
            "MaxValue": 100,
            "Default": 1
          },
          "Ipv6SourceCidrIp": {
            "Type": "String",
            "Description": {
              "en": "Source IPv6 CIDR address segment. Supports IP address ranges in CIDR format and IPv6 format.\nNote Only VPC type IP addresses are supported."
            },
            "Required": false
          },
          "NicType": {
            "Type": "String",
            "Description": {
              "en": "Network type, could be 'internet' or 'intranet'. Default value is internet."
            },
            "AllowedValues": [
              "internet",
              "intranet"
            ],
            "Required": false
          },
          "DestGroupId": {
            "Type": "String",
            "Description": {
              "en": "The destination security group ID to which access permissions need to be set.\nSet at least one of the DestGroupId, DestCidrIp, Ipv6DestCidrIp, or DestPrefixListId parameters.\n- If DestGroupId is specified without the DestCidrIp parameter, the NicType parameter can only take the value intranet.\n- If both DestGroupId and DestCidrIp are specified, DestCidrIp is assumed to prevail.\nYou should pay attention to:\n- Enterprise Security groups do not support authorized security group access.\n- The maximum number of authorized security groups supported by ordinary security groups is 20."
            },
            "Required": false
          },
          "PortRange": {
            "Type": "String",
            "Description": {
              "en": "Ip protocol relative port range. For tcp and udp, the port rang is [1,65535], using format '1/200'For icmp|gre|all protocel, the port range should be '-1/-1'"
            },
            "Required": true
          },
          "DestGroupOwnerAccount": {
            "Type": "String",
            "Description": {
              "en": "When setting security group rules across accounts, the Ali cloud account to which the destination security group belongs.\n- If neither DestGroupOwnerAccount nor DestGroupOwnerId is set, it is considered to set access permissions for your other security group.\n- If the parameter DestCidrIp has been set, the parameter DestGroupOwnerAccount is invalid."
            },
            "Required": false
          },
          "DestPrefixListId": {
            "Type": "String",
            "Description": {
              "en": "The ID of the destination prefix list to which you want to control access. You can call the DescribePrefixLists operation to query the IDs of available prefix lists. Take note of the following items:\nIf a security group is in the classic network, you cannot configure prefix lists in the security group rules. For information about the limits on security groups and prefix lists, see the \"Security group limits\" in Limits.\nIf you specify DestCidrIp, Ipv6DestCidrIp, or DestGroupId, DestPrefixListId is ignored."
            },
            "Required": false
          },
          "SourceCidrIp": {
            "Type": "String",
            "Description": {
              "en": "The source IPv4 CIDR block to which you want to control access. CIDR blocks and IPv4 addresses are supported."
            },
            "Required": false
          },
          "DestGroupOwnerId": {
            "Type": "String",
            "Description": {
              "en": "When setting security group rules across accounts, the Ali Cloud account ID of the destination security group.\n- If neither DestGroupOwnerId nor DestGroupOwnerAccount is set, it is considered to set the access rights of your other security group.\n- If you have set the parameter DestCidrIp, the parameter DestGroupOwnerId is invalid."
            },
            "Required": false
          },
          "IpProtocol": {
            "Type": "String",
            "Description": {
              "en": "Ip protocol for in rule."
            },
            "AllowedValues": [
              "tcp",
              "udp",
              "icmp",
              "gre",
              "all",
              "icmpv6"
            ],
            "Required": true
          },
          "DestCidrIp": {
            "Type": "String",
            "Description": {
              "en": "The destination IPv4 CIDR block to which you want to control access. CIDR blocks and IPv4 addresses are supported."
            },
            "Required": false
          },
          "Ipv6DestCidrIp": {
            "Type": "String",
            "Description": {
              "en": "Destination IPv6 CIDR address block for which access rights need to be set. CIDR format and IPv6 format IP address range are supported."
            },
            "Required": false
          }
        }
      },
      "AssociationProperty": "List[Parameters]",
      "Type": "Json",
      "Description": {
        "en": "A list of security group rules. A hundred at most."
      },
      "Required": true,
      "MaxLength": 100
    }
  },
  "Resources": {
    "SecurityGroupEgresses": {
      "Type": "ALIYUN::ECS::SecurityGroupEgresses",
      "Properties": {
        "SecurityGroupId": {
          "Ref": "SecurityGroupId"
        },
        "Permissions": {
          "Ref": "Permissions"
        }
      }
    }
  }
}