ALIYUN::ENS::SecurityGroup - Resource Orchestration Service

ALIYUN::ENS::SecurityGroup is used to create a security group.

Syntax

{
  "Type": "ALIYUN::ENS::SecurityGroup",
  "Properties": {
    "Description": String,
    "SecurityGroupName": String,
    "SecurityGroupIngress": List,
    "SecurityGroupEgress": List
  }
}

Properties

Property	Type	Required	Editable	Description	Constraint
Description	String	No	Yes	The description.	The description must be 2 to 256 characters in length. It must start with a letter and cannot start with `http://` or `https://`.
SecurityGroupEgress	List	No	Yes	The outbound rule configurations of the security group.	For more information, see SecurityGroupEgress properties.
SecurityGroupIngress	List	No	Yes	The inbound rule configurations of the security group.	For more information, see SecurityGroupIngress properties.
SecurityGroupName	String	No	Yes	The name of the security group.	The name must be 2 to 128 characters in length. It must start with a letter and cannot start with `http://` or `https://`. The name can contain letters, digits, colons (:), underscores (_), and hyphens (-). By default, this property is empty.

SecurityGroupIngress syntax

"SecurityGroupIngress": [
  {
    "Policy": String,
    "PortRange": String,
    "SourcePortRange": String,
    "Priority": Integer,
    "SourceCidrIp": String,
    "IpProtocol": String
  }
]

SecurityGroupIngress properties

Property	Type	Required	Editable	Description	Constraint
IpProtocol	String	Yes	No	The transport layer protocol that the security group rule supports.	The value of this property is case-sensitive. Valid values: tcp: supports Transmission Control Protocol (TCP). udp: supports User Datagram Protocol (UDP). icmp: supports Internet Control Message Protocol (ICMP). gre: supports Generic Routing Encapsulation (GRE). all: supports all protocols.
PortRange	String	Yes	No	The range of port numbers that correspond to the transport layer protocol of the security group.	Value format when IpProtocol is set to tcp or udp: X/Y. X specifies the start port number and Y specifies the end port number. X and Y range from 1 to 65535. Separate X and Y with a forward slash (/). For example, 1/200 is a valid value, and 200/1 is an invalid value. Valid value when IpProtocol is set to icmp: -1/-1. Valid value when IpProtocol is set to gre: -1/-1. Valid value when IpProtocol is set to all: -1/-1.
Policy	String	No	No	The action that determines whether to allow access.	Valid values: accept (default): allows access. drop: denies access and does not return responses.
Priority	Integer	No	No	The priority of the security group rule.	Valid values: 1 to 100. Default value: 1.
SourceCidrIp	String	No	No	The source IP address range.	IPv4 CIDR blocks and IPv4 addresses are supported.
SourcePortRange	String	No	No	The range of port numbers that correspond to the transport layer protocol of the source security group.	Value format when IpProtocol is set to tcp or udp: X/Y. X specifies the start port number and Y specifies the end port number. X and Y range from 1 to 65535. Separate X and Y with a forward slash (/). For example, 1/200 is a valid value, and 200/1 is an invalid value. Valid value when IpProtocol is set to icmp: -1/-1. Valid value when IpProtocol is set to gre: -1/-1. Valid value when IpProtocol is set to all: -1/-1.

SecurityGroupEgress syntax

"SecurityGroupEgress": [
  {
    "Policy": String,
    "PortRange": String,
    "SourcePortRange": String,
    "Priority": Integer,
    "IpProtocol": String,
    "DestCidrIp": String
  }
]

SecurityGroupEgress properties

Property	Type	Required	Editable	Description	Constraint
IpProtocol	String	Yes	No	The transport layer protocol that the security group rule supports.	The value of this property is case-sensitive. Valid values: tcp: supports TCP. udp: supports UDP. icmp: supports ICMP. gre: supports GRE. all: supports all protocols.
PortRange	String	Yes	No	The range of port numbers that correspond to the transport layer protocol of the security group.	Value format when IpProtocol is set to tcp or udp: X/Y. X specifies the start port number and Y specifies the end port number. X and Y range from 1 to 65535. Separate X and Y with a forward slash (/). For example, 1/200 is a valid value, and 200/1 is an invalid value. Valid value when IpProtocol is set to icmp: -1/-1. Valid value when IpProtocol is set to gre: -1/-1. Valid value when IpProtocol is set to all: -1/-1.
DestCidrIp	String	No	No	The destination IP address range.	IPv4 CIDR blocks and IPv4 addresses are supported.
Policy	String	No	No	The action that determines whether to allow access.	Valid values: accept (default): allows access. drop: denies access and does not return responses.
Priority	Integer	No	No	The priority of the security group rule.	Valid values: 1 to 100. Default value: 1.
SourcePortRange	String	No	No	The range of port numbers that correspond to the transport layer protocol of the source security group.	Valid values: Value format when IpProtocol is set to tcp or udp: X/Y. X specifies the start port number and Y specifies the end port number. X and Y range from 1 to 65535. Separate X and Y with a forward slash (/). For example, 1/200 is a valid value, and 200/1 is an invalid value. Valid value when IpProtocol is set to icmp: -1/-1. Valid value when IpProtocol is set to gre: -1/-1. Valid value when IpProtocol is set to all: -1/-1.

Return values

Fn::GetAtt

SecurityGroupId: the ID of the security group.

Examples

`YAML` format

ROSTemplateFormatVersion: '2015-09-01'
Parameters:
  SecurityGroupName:
    Type: String
    Description:
      en: The name of the security group. The name must be 2 to 128 characters in length. The name must start with a letter and cannot start with http:// or https://. It can contain letters, digits, colons (:), underscores (_), and hyphens (-). By default, this parameter is empty.
    Required: false
  SecurityGroupIngress:
    AssociationPropertyMetadata:
      Parameters:
        Policy:
          Type: String
          Description:
            en: 'Authorization policies, parameter values can be: accept (accepted access), drop (denied access). Default value is accept.'
          AllowedValues:
            - accept
            - drop
          Required: false
        PortRange:
          Type: String
          Description:
            en: Ip protocol relative port range. For tcp and udp, the port rang is [1,65535], using format '1/200'For icmp|gre|all protocel, the port range should be '-1/-1'
          Required: true
        SourcePortRange:
          Type: String
          Description:
            en: 'The range of the ports enabled by the source security group for the transport layer protocol. Valid values: TCP/UDP: Value range: 1 to 65535. The start port and the end port are separated by a slash (/). Correct example: 1/200. Incorrect example: 200/1.ICMP: -1/-1.GRE: -1/-1.ALL: -1/-1.'
          Required: false
        Priority:
          Type: Number
          Description:
            en: Authorization policies priority range[1, 100]
          Required: false
          MinValue: 1
          MaxValue: 100
          Default: 1
        SourceCidrIp:
          Type: String
          Description:
            en: Source CIDR Ip Address range.
          Required: false
        IpProtocol:
          Type: String
          Description:
            en: Ip protocol for in rule.
          AllowedValues:
            - tcp
            - udp
            - icmp
            - gre
            - all
          Required: true
    AssociationProperty: List[Parameters]
    Type: Json
    Description:
      en: Ingress rules for the security group.
    Required: false
  SecurityGroupEgress:
    AssociationPropertyMetadata:
      Parameters:
        Policy:
          Type: String
          Description:
            en: 'Authorization policies, parameter values can be: accept (accepted access), drop (denied access). Default value is accept.'
          AllowedValues:
            - accept
            - drop
          Required: false
        PortRange:
          Type: String
          Description:
            en: Ip protocol relative port range. For tcp and udp, the port rang is [1,65535], using format '1/200'For icmp|gre|all protocel, the port range should be '-1/-1'
          Required: true
        SourcePortRange:
          Type: String
          Description:
            en: 'The range of the ports enabled by the source security group for the transport layer protocol. Valid values: TCP/UDP: Value range: 1 to 65535. The start port and the end port are separated by a slash (/). Correct example: 1/200. Incorrect example: 200/1.ICMP: -1/-1.GRE: -1/-1.ALL: -1/-1.'
          Required: false
        Priority:
          Type: Number
          Description:
            en: Authorization policies priority range[1, 100]
          Required: false
          MinValue: 1
          MaxValue: 100
          Default: 1
        IpProtocol:
          Type: String
          Description:
            en: Ip protocol for in rule.
          AllowedValues:
            - tcp
            - udp
            - icmp
            - gre
            - all
          Required: true
        DestCidrIp:
          Type: String
          Description:
            en: Dest CIDR Ip Address range.
          Required: false
    AssociationProperty: List[Parameters]
    Type: Json
    Description:
      en: egress rules for the security group.
    Required: false
Resources:
  SecurityGroup:
    Type: ALIYUN::ENS::SecurityGroup
    Properties:
      SecurityGroupName:
        Ref: SecurityGroupName
      SecurityGroupIngress:
        Ref: SecurityGroupIngress
      SecurityGroupEgress:
        Ref: SecurityGroupEgress
Outputs:
  SecurityGroupId:
    Description: The ID of the security group.
    Value:
      Fn::GetAtt:
        - SecurityGroup
        - SecurityGroupId

`JSON` format

{
  "ROSTemplateFormatVersion": "2015-09-01",
  "Parameters": {
    "SecurityGroupName": {
      "Type": "String",
      "Description": {
        "en": "The name of the security group. The name must be 2 to 128 characters in length. The name must start with a letter and cannot start with http:// or https://. It can contain letters, digits, colons (:), underscores (_), and hyphens (-). By default, this parameter is empty."
      },
      "Required": false
    },
    "SecurityGroupIngress": {
      "AssociationPropertyMetadata": {
        "Parameters": {
          "Policy": {
            "Type": "String",
            "Description": {
              "en": "Authorization policies, parameter values can be: accept (accepted access), drop (denied access). Default value is accept."
            },
            "AllowedValues": [
              "accept",
              "drop"
            ],
            "Required": false
          },
          "PortRange": {
            "Type": "String",
            "Description": {
              "en": "Ip protocol relative port range. For tcp and udp, the port rang is [1,65535], using format '1/200'For icmp|gre|all protocel, the port range should be '-1/-1'"
            },
            "Required": true
          },
          "SourcePortRange": {
            "Type": "String",
            "Description": {
              "en": "The range of the ports enabled by the source security group for the transport layer protocol. Valid values: TCP/UDP: Value range: 1 to 65535. The start port and the end port are separated by a slash (/). Correct example: 1/200. Incorrect example: 200/1.ICMP: -1/-1.GRE: -1/-1.ALL: -1/-1."
            },
            "Required": false
          },
          "Priority": {
            "Type": "Number",
            "Description": {
              "en": "Authorization policies priority range[1, 100]"
            },
            "Required": false,
            "MinValue": 1,
            "MaxValue": 100,
            "Default": 1
          },
          "SourceCidrIp": {
            "Type": "String",
            "Description": {
              "en": "Source CIDR Ip Address range."
            },
            "Required": false
          },
          "IpProtocol": {
            "Type": "String",
            "Description": {
              "en": "Ip protocol for in rule."
            },
            "AllowedValues": [
              "tcp",
              "udp",
              "icmp",
              "gre",
              "all"
            ],
            "Required": true
          }
        }
      },
      "AssociationProperty": "List[Parameters]",
      "Type": "Json",
      "Description": {
        "en": "Ingress rules for the security group."
      },
      "Required": false
    },
    "SecurityGroupEgress": {
      "AssociationPropertyMetadata": {
        "Parameters": {
          "Policy": {
            "Type": "String",
            "Description": {
              "en": "Authorization policies, parameter values can be: accept (accepted access), drop (denied access). Default value is accept."
            },
            "AllowedValues": [
              "accept",
              "drop"
            ],
            "Required": false
          },
          "PortRange": {
            "Type": "String",
            "Description": {
              "en": "Ip protocol relative port range. For tcp and udp, the port rang is [1,65535], using format '1/200'For icmp|gre|all protocel, the port range should be '-1/-1'"
            },
            "Required": true
          },
          "SourcePortRange": {
            "Type": "String",
            "Description": {
              "en": "The range of the ports enabled by the source security group for the transport layer protocol. Valid values: TCP/UDP: Value range: 1 to 65535. The start port and the end port are separated by a slash (/). Correct example: 1/200. Incorrect example: 200/1.ICMP: -1/-1.GRE: -1/-1.ALL: -1/-1."
            },
            "Required": false
          },
          "Priority": {
            "Type": "Number",
            "Description": {
              "en": "Authorization policies priority range[1, 100]"
            },
            "Required": false,
            "MinValue": 1,
            "MaxValue": 100,
            "Default": 1
          },
          "IpProtocol": {
            "Type": "String",
            "Description": {
              "en": "Ip protocol for in rule."
            },
            "AllowedValues": [
              "tcp",
              "udp",
              "icmp",
              "gre",
              "all"
            ],
            "Required": true
          },
          "DestCidrIp": {
            "Type": "String",
            "Description": {
              "en": "Dest CIDR Ip Address range."
            },
            "Required": false
          }
        }
      },
      "AssociationProperty": "List[Parameters]",
      "Type": "Json",
      "Description": {
        "en": "egress rules for the security group."
      },
      "Required": false
    }
  },
  "Resources": {
    "SecurityGroup": {
      "Type": "ALIYUN::ENS::SecurityGroup",
      "Properties": {
        "SecurityGroupName": {
          "Ref": "SecurityGroupName"
        },
        "SecurityGroupIngress": {
          "Ref": "SecurityGroupIngress"
        },
        "SecurityGroupEgress": {
          "Ref": "SecurityGroupEgress"
        }
      }
    }
  },
  "Outputs": {
    "SecurityGroupId": {
      "Description": "The ID of the security group.",
      "Value": {
        "Fn::GetAtt": [
          "SecurityGroup",
          "SecurityGroupId"
        ]
      }
    }
  }
}

Syntax

Properties

SecurityGroupIngress syntax

SecurityGroupIngress properties

SecurityGroupEgress syntax

SecurityGroupEgress properties

Return values

Examples

YAML format

JSON format

`YAML` format

`JSON` format