ALIYUN::ENS::SecurityGroup is used to create a security group.
Syntax
{
"Type": "ALIYUN::ENS::SecurityGroup",
"Properties": {
"Description": String,
"SecurityGroupName": String,
"SecurityGroupIngress": List,
"SecurityGroupEgress": List
}
}
Properties
Property | Type | Required | Editable | Description | Constraint |
Description | String | No | Yes | The description. | The description must be 2 to 256 characters in length. It must start with a letter and cannot start with |
SecurityGroupEgress | List | No | Yes | The outbound rule configurations of the security group. | For more information, see SecurityGroupEgress properties. |
SecurityGroupIngress | List | No | Yes | The inbound rule configurations of the security group. | For more information, see SecurityGroupIngress properties. |
SecurityGroupName | String | No | Yes | The name of the security group. | The name must be 2 to 128 characters in length. It must start with a letter and cannot start with |
SecurityGroupIngress syntax
"SecurityGroupIngress": [
{
"Policy": String,
"PortRange": String,
"SourcePortRange": String,
"Priority": Integer,
"SourceCidrIp": String,
"IpProtocol": String
}
]
SecurityGroupIngress properties
Property | Type | Required | Editable | Description | Constraint |
IpProtocol | String | Yes | No | The transport layer protocol that the security group rule supports. | The value of this property is case-sensitive. Valid values:
|
PortRange | String | Yes | No | The range of port numbers that correspond to the transport layer protocol of the security group. |
|
Policy | String | No | No | The action that determines whether to allow access. | Valid values:
|
Priority | Integer | No | No | The priority of the security group rule. | Valid values: 1 to 100. Default value: 1. |
SourceCidrIp | String | No | No | The source IP address range. | IPv4 CIDR blocks and IPv4 addresses are supported. |
SourcePortRange | String | No | No | The range of port numbers that correspond to the transport layer protocol of the source security group. |
|
SecurityGroupEgress syntax
"SecurityGroupEgress": [
{
"Policy": String,
"PortRange": String,
"SourcePortRange": String,
"Priority": Integer,
"IpProtocol": String,
"DestCidrIp": String
}
]
SecurityGroupEgress properties
Property | Type | Required | Editable | Description | Constraint |
IpProtocol | String | Yes | No | The transport layer protocol that the security group rule supports. | The value of this property is case-sensitive. Valid values:
|
PortRange | String | Yes | No | The range of port numbers that correspond to the transport layer protocol of the security group. |
|
DestCidrIp | String | No | No | The destination IP address range. | IPv4 CIDR blocks and IPv4 addresses are supported. |
Policy | String | No | No | The action that determines whether to allow access. | Valid values:
|
Priority | Integer | No | No | The priority of the security group rule. | Valid values: 1 to 100. Default value: 1. |
SourcePortRange | String | No | No | The range of port numbers that correspond to the transport layer protocol of the source security group. | Valid values:
|
Return values
Fn::GetAtt
SecurityGroupId: the ID of the security group.
Examples
YAML
format
ROSTemplateFormatVersion: '2015-09-01'
Parameters:
SecurityGroupName:
Type: String
Description:
en: The name of the security group. The name must be 2 to 128 characters in length. The name must start with a letter and cannot start with http:// or https://. It can contain letters, digits, colons (:), underscores (_), and hyphens (-). By default, this parameter is empty.
Required: false
SecurityGroupIngress:
AssociationPropertyMetadata:
Parameters:
Policy:
Type: String
Description:
en: 'Authorization policies, parameter values can be: accept (accepted access), drop (denied access). Default value is accept.'
AllowedValues:
- accept
- drop
Required: false
PortRange:
Type: String
Description:
en: Ip protocol relative port range. For tcp and udp, the port rang is [1,65535], using format '1/200'For icmp|gre|all protocel, the port range should be '-1/-1'
Required: true
SourcePortRange:
Type: String
Description:
en: 'The range of the ports enabled by the source security group for the transport layer protocol. Valid values: TCP/UDP: Value range: 1 to 65535. The start port and the end port are separated by a slash (/). Correct example: 1/200. Incorrect example: 200/1.ICMP: -1/-1.GRE: -1/-1.ALL: -1/-1.'
Required: false
Priority:
Type: Number
Description:
en: Authorization policies priority range[1, 100]
Required: false
MinValue: 1
MaxValue: 100
Default: 1
SourceCidrIp:
Type: String
Description:
en: Source CIDR Ip Address range.
Required: false
IpProtocol:
Type: String
Description:
en: Ip protocol for in rule.
AllowedValues:
- tcp
- udp
- icmp
- gre
- all
Required: true
AssociationProperty: List[Parameters]
Type: Json
Description:
en: Ingress rules for the security group.
Required: false
SecurityGroupEgress:
AssociationPropertyMetadata:
Parameters:
Policy:
Type: String
Description:
en: 'Authorization policies, parameter values can be: accept (accepted access), drop (denied access). Default value is accept.'
AllowedValues:
- accept
- drop
Required: false
PortRange:
Type: String
Description:
en: Ip protocol relative port range. For tcp and udp, the port rang is [1,65535], using format '1/200'For icmp|gre|all protocel, the port range should be '-1/-1'
Required: true
SourcePortRange:
Type: String
Description:
en: 'The range of the ports enabled by the source security group for the transport layer protocol. Valid values: TCP/UDP: Value range: 1 to 65535. The start port and the end port are separated by a slash (/). Correct example: 1/200. Incorrect example: 200/1.ICMP: -1/-1.GRE: -1/-1.ALL: -1/-1.'
Required: false
Priority:
Type: Number
Description:
en: Authorization policies priority range[1, 100]
Required: false
MinValue: 1
MaxValue: 100
Default: 1
IpProtocol:
Type: String
Description:
en: Ip protocol for in rule.
AllowedValues:
- tcp
- udp
- icmp
- gre
- all
Required: true
DestCidrIp:
Type: String
Description:
en: Dest CIDR Ip Address range.
Required: false
AssociationProperty: List[Parameters]
Type: Json
Description:
en: egress rules for the security group.
Required: false
Resources:
SecurityGroup:
Type: ALIYUN::ENS::SecurityGroup
Properties:
SecurityGroupName:
Ref: SecurityGroupName
SecurityGroupIngress:
Ref: SecurityGroupIngress
SecurityGroupEgress:
Ref: SecurityGroupEgress
Outputs:
SecurityGroupId:
Description: The ID of the security group.
Value:
Fn::GetAtt:
- SecurityGroup
- SecurityGroupId
JSON
format
{
"ROSTemplateFormatVersion": "2015-09-01",
"Parameters": {
"SecurityGroupName": {
"Type": "String",
"Description": {
"en": "The name of the security group. The name must be 2 to 128 characters in length. The name must start with a letter and cannot start with http:// or https://. It can contain letters, digits, colons (:), underscores (_), and hyphens (-). By default, this parameter is empty."
},
"Required": false
},
"SecurityGroupIngress": {
"AssociationPropertyMetadata": {
"Parameters": {
"Policy": {
"Type": "String",
"Description": {
"en": "Authorization policies, parameter values can be: accept (accepted access), drop (denied access). Default value is accept."
},
"AllowedValues": [
"accept",
"drop"
],
"Required": false
},
"PortRange": {
"Type": "String",
"Description": {
"en": "Ip protocol relative port range. For tcp and udp, the port rang is [1,65535], using format '1/200'For icmp|gre|all protocel, the port range should be '-1/-1'"
},
"Required": true
},
"SourcePortRange": {
"Type": "String",
"Description": {
"en": "The range of the ports enabled by the source security group for the transport layer protocol. Valid values: TCP/UDP: Value range: 1 to 65535. The start port and the end port are separated by a slash (/). Correct example: 1/200. Incorrect example: 200/1.ICMP: -1/-1.GRE: -1/-1.ALL: -1/-1."
},
"Required": false
},
"Priority": {
"Type": "Number",
"Description": {
"en": "Authorization policies priority range[1, 100]"
},
"Required": false,
"MinValue": 1,
"MaxValue": 100,
"Default": 1
},
"SourceCidrIp": {
"Type": "String",
"Description": {
"en": "Source CIDR Ip Address range."
},
"Required": false
},
"IpProtocol": {
"Type": "String",
"Description": {
"en": "Ip protocol for in rule."
},
"AllowedValues": [
"tcp",
"udp",
"icmp",
"gre",
"all"
],
"Required": true
}
}
},
"AssociationProperty": "List[Parameters]",
"Type": "Json",
"Description": {
"en": "Ingress rules for the security group."
},
"Required": false
},
"SecurityGroupEgress": {
"AssociationPropertyMetadata": {
"Parameters": {
"Policy": {
"Type": "String",
"Description": {
"en": "Authorization policies, parameter values can be: accept (accepted access), drop (denied access). Default value is accept."
},
"AllowedValues": [
"accept",
"drop"
],
"Required": false
},
"PortRange": {
"Type": "String",
"Description": {
"en": "Ip protocol relative port range. For tcp and udp, the port rang is [1,65535], using format '1/200'For icmp|gre|all protocel, the port range should be '-1/-1'"
},
"Required": true
},
"SourcePortRange": {
"Type": "String",
"Description": {
"en": "The range of the ports enabled by the source security group for the transport layer protocol. Valid values: TCP/UDP: Value range: 1 to 65535. The start port and the end port are separated by a slash (/). Correct example: 1/200. Incorrect example: 200/1.ICMP: -1/-1.GRE: -1/-1.ALL: -1/-1."
},
"Required": false
},
"Priority": {
"Type": "Number",
"Description": {
"en": "Authorization policies priority range[1, 100]"
},
"Required": false,
"MinValue": 1,
"MaxValue": 100,
"Default": 1
},
"IpProtocol": {
"Type": "String",
"Description": {
"en": "Ip protocol for in rule."
},
"AllowedValues": [
"tcp",
"udp",
"icmp",
"gre",
"all"
],
"Required": true
},
"DestCidrIp": {
"Type": "String",
"Description": {
"en": "Dest CIDR Ip Address range."
},
"Required": false
}
}
},
"AssociationProperty": "List[Parameters]",
"Type": "Json",
"Description": {
"en": "egress rules for the security group."
},
"Required": false
}
},
"Resources": {
"SecurityGroup": {
"Type": "ALIYUN::ENS::SecurityGroup",
"Properties": {
"SecurityGroupName": {
"Ref": "SecurityGroupName"
},
"SecurityGroupIngress": {
"Ref": "SecurityGroupIngress"
},
"SecurityGroupEgress": {
"Ref": "SecurityGroupEgress"
}
}
}
},
"Outputs": {
"SecurityGroupId": {
"Description": "The ID of the security group.",
"Value": {
"Fn::GetAtt": [
"SecurityGroup",
"SecurityGroupId"
]
}
}
}
}