ALIYUN::ECS::SecurityGroupEgress is used to create an outbound access rule for a security group.

Syntax

{
  "Type": "ALIYUN::ECS::SecurityGroupEgress",
  "Properties": {
    "SecurityGroupId": String,
    "IpProtocol": String,
    "PortRange": String,
    "DestGroupId": String,
    "DestCidrIp": String,
    "Policy": String,
    "Priority": String,
    "NicType": String,
    "DestPrefixListId": String,
    "Ipv6DestCidrIp": String
  }
}

Properties

Property Type Required Editable Description Constraint
IpProtocol String Yes No The transport layer protocol. Valid values:
  • tcp.
  • udp.
  • icmp.
  • gre.
  • all: All the preceding protocols are supported.
PortRange String Yes No The range of ports that you want to configure for the transport layer protocol in the destination security group. Valid values:
  • Valid values if you set the IpProtocol property to tcp or udp: 1 to 65535. Separate the start port number and the end port number with a forward slash (/). Correct example: 1/200. Incorrect example: 200/1.
  • Valid value if you set the IpProtocol property to icmp: -1/-1.
  • Valid value if you set the IpProtocol property to gre: -1/-1.
  • Valid value if you set the IpProtocol property to all: -1/-1.

For more information about the scenarios of ports, see Typical applications of commonly used ports.

SecurityGroupId String No No The ID of the source security group. None
DestPrefixListId String No No The ID of the destination prefix list on which you want to grant outbound access permissions. You can call the DescribePrefixLists operation to query the IDs of available prefix lists.

If a security group is in the classic network, you cannot configure prefix lists in the security group rule. For more information, see the "Security group limits" section in Limits.

If you specify the DestCidrIp, Ipv6DestCidrIp, or DestGroupId property, the system ignores the value of the DestPrefixListId property.

NicType String No No The type of the network interface controller (NIC). Default value: internet. Valid values:
  • internet: public NIC
  • intranet: internal NIC
If you specify the DestGroupId property, but leave the DestCidrIp property empty, you must set the NicType property to intranet.
Priority Integer No No The priority of the security group rule. Valid values: 1 to 100.

Default value: 1.

DestGroupId String No No The ID of the destination security group on which you want to grant outbound access permissions. You must specify at least one of the DestGroupId and DestCidrIp properties.

If you specify the DestGroupId property, but leave the DestCidrIp property empty, you must set the NicType property to intranet.

If you specify both the DestGroupId and DestCidrIp properties, the value of the DestCidrIp property is used.

DestCidrIp String No No The destination CIDR block. IPv4 CIDR blocks are supported.
Policy String No No The action of the rule that determines whether to accept outbound access. Default value: accept. Valid values:
  • accept
  • drop
Description String No Yes The description of the security group rule. The description must be 1 to 512 characters in length.
DestGroupOwnerId String No No The ID of the Alibaba Cloud account that is used to manage the destination security group when you configure a security group rule across accounts. If you leave this property empty, the outbound access permissions are granted on other security groups within your account. If you specify the DestCidrIp property, the system ignores the value of the DestGroupOwnerId property.
Ipv6DestCidrIp String No No The destination IPv6 CIDR block. CIDR blocks and IPv6 addresses are supported. You can specify only the IP addresses of the virtual private cloud (VPC) type.

Return values

Fn::GetAtt

None.

Examples

  • YAML format

    ROSTemplateFormatVersion: '2015-09-01'
    Parameters:
      Policy:
        Type: String
        Description: >-
          Authorization policies, parameter values can be: accept (accepted access),
          drop (denied access). Default value is accept.
        AllowedValues:
          - accept
          - drop
      PortRange:
        Type: String
        Description: >-
          Ip protocol relative port range. For tcp and udp, the port rang is
          [1,65535], using format '1/200'For icmp|gre|all protocel, the port range
          should be '-1/-1'
      Description:
        Type: String
        Description: >-
          Description of the security group rule, [1, 512] characters. The default
          is empty.
        MinLength: 1
        MaxLength: 512
      Priority:
        Type: Number
        Description: 'Authorization policies priority range[1, 100]'
        MinValue: 1
        MaxValue: 100
        Default: 1
      SecurityGroupId:
        Type: String
        Description: Id of the security group.
      DestGroupOwnerId:
        Type: String
        Description: Dest Group Owner Account ID
      IpProtocol:
        Type: String
        Description: Ip protocol for in rule.
        AllowedValues:
          - tcp
          - udp
          - icmp
          - gre
          - all
      DestCidrIp:
        Type: String
        Description: Dest CIDR Ip Address range. Only IPV4 supported.
      NicType:
        Type: String
        Description: >-
          Network type, could be 'internet' or 'intranet'. Default value is
          internet.
        AllowedValues:
          - internet
          - intranet
      Ipv6DestCidrIp:
        Type: String
        Description: >-
          Destination IPv6 CIDR address segment. Supports IP address ranges in CIDR
          format and IPv6 format.
    
          Note Only VPC type IP addresses are supported.
      DestGroupId:
        Type: String
        Description: Dest Group Id
    Resources:
      SecurityGroupEgress:
        Type: 'ALIYUN::ECS::SecurityGroupEgress'
        Properties:
          Policy:
            Ref: Policy
          PortRange:
            Ref: PortRange
          Description:
            Ref: Description
          Priority:
            Ref: Priority
          SecurityGroupId:
            Ref: SecurityGroupId
          DestGroupOwnerId:
            Ref: DestGroupOwnerId
          IpProtocol:
            Ref: IpProtocol
          DestCidrIp:
            Ref: DestCidrIp
          NicType:
            Ref: NicType
          Ipv6DestCidrIp:
            Ref: Ipv6DestCidrIp
          DestGroupId:
            Ref: DestGroupId
  • JSON format

    {
      "ROSTemplateFormatVersion": "2015-09-01",
      "Parameters": {
        "Policy": {
          "Type": "String",
          "Description": "Authorization policies, parameter values can be: accept (accepted access), drop (denied access). Default value is accept.",
          "AllowedValues": [
            "accept",
            "drop"
          ]
        },
        "PortRange": {
          "Type": "String",
          "Description": "Ip protocol relative port range. For tcp and udp, the port rang is [1,65535], using format '1/200'For icmp|gre|all protocel, the port range should be '-1/-1'"
        },
        "Description": {
          "Type": "String",
          "Description": "Description of the security group rule, [1, 512] characters. The default is empty.",
          "MinLength": 1,
          "MaxLength": 512
        },
        "Priority": {
          "Type": "Number",
          "Description": "Authorization policies priority range[1, 100]",
          "MinValue": 1,
          "MaxValue": 100,
          "Default": 1
        },
        "SecurityGroupId": {
          "Type": "String",
          "Description": "Id of the security group."
        },
        "DestGroupOwnerId": {
          "Type": "String",
          "Description": "Dest Group Owner Account ID"
        },
        "IpProtocol": {
          "Type": "String",
          "Description": "Ip protocol for in rule.",
          "AllowedValues": [
            "tcp",
            "udp",
            "icmp",
            "gre",
            "all"
          ]
        },
        "DestCidrIp": {
          "Type": "String",
          "Description": "Dest CIDR Ip Address range. Only IPV4 supported."
        },
        "NicType": {
          "Type": "String",
          "Description": "Network type, could be 'internet' or 'intranet'. Default value is internet.",
          "AllowedValues": [
            "internet",
            "intranet"
          ]
        },
        "Ipv6DestCidrIp": {
          "Type": "String",
          "Description": "Destination IPv6 CIDR address segment. Supports IP address ranges in CIDR format and IPv6 format.\nNote Only VPC type IP addresses are supported."
        },
        "DestGroupId": {
          "Type": "String",
          "Description": "Dest Group Id"
        }
      },
      "Resources": {
        "SecurityGroupEgress": {
          "Type": "ALIYUN::ECS::SecurityGroupEgress",
          "Properties": {
            "Policy": {
              "Ref": "Policy"
            },
            "PortRange": {
              "Ref": "PortRange"
            },
            "Description": {
              "Ref": "Description"
            },
            "Priority": {
              "Ref": "Priority"
            },
            "SecurityGroupId": {
              "Ref": "SecurityGroupId"
            },
            "DestGroupOwnerId": {
              "Ref": "DestGroupOwnerId"
            },
            "IpProtocol": {
              "Ref": "IpProtocol"
            },
            "DestCidrIp": {
              "Ref": "DestCidrIp"
            },
            "NicType": {
              "Ref": "NicType"
            },
            "Ipv6DestCidrIp": {
              "Ref": "Ipv6DestCidrIp"
            },
            "DestGroupId": {
              "Ref": "DestGroupId"
            }
          }
        }
      }
    }