ALIYUN::CLOUDFW::VpcFirewallControlPolicy类型用于为指定VPC边界防火墙策略组添加访问控制策略。
语法
{
"Type": "ALIYUN::CLOUDFW::VpcFirewallControlPolicy",
"Properties": {
"Destination": String,
"ApplicationName": String,
"Description": String,
"SourceType": String,
"DestPort": String,
"AclAction": String,
"Lang": String,
"DestinationType": String,
"VpcFirewallId": String,
"Source": String,
"DestPortType": String,
"Proto": String,
"RegionId": String,
"NewOrder": String,
"DestPortGroup": String,
"Release": Boolean,
"RepeatType": String,
"StartTime": Integer,
"RepeatEndTime": String,
"RepeatDays": List,
"EndTime": Integer,
"RepeatStartTime": String,
"ApplicationNameList": List,
"MemberUid": String
}
}
属性
属性名称 | 类型 | 必须 | 允许更新 | 描述 | 约束 |
AclAction | String | 是 | 是 | VPC边界防火墙访问控制策略中设置的流量通过云防火墙的方式(动作)。 | 取值:
|
ApplicationName | String | 否 | 是 | VPC边界防火墙访问控制策略支持的应用类型。 | 取值:
|
Description | String | 是 | 是 | VPC边界防火墙访问控制策略的描述信息。 | 无 |
Destination | String | 是 | 是 | VPC边界防火墙访问控制策略中流量访问的目的地址。 | 取值:
|
DestinationType | String | 是 | 是 | VPC边界防火墙访问控制策略中流量访问的目的地址类型。 | 取值:
|
NewOrder | String | 是 | 否 | VPC边界防火墙访问控制策略生效的优先级。 | 优先级数字从1开始顺序递增,优先级数字越小,优先级越高。1代表最高优先级。 说明 -1表示优先级最低。 |
Proto | String | 是 | 否 | VPC边界防火墙访问控制策略中流量访问的安全协议类型。 | 取值:
|
Source | String | 是 | 是 | VPC边界防火墙访问控制策略中的源地址。 | 取值:
|
SourceType | String | 是 | 是 | VPC边界防火墙访问控制策略中的源地址类型。 | 取值:
|
VpcFirewallId | String | 是 | 否 | VPC边界防火墙访问控制策略组ID。 | 取值:
您可以调用DescribeVpcFirewallAclGroupList - 获取VPC防火墙所有访问控制策略组信息获取VPC边界防火墙访问控制策略组ID。 |
DestPort | String | 否 | 是 | VPC边界防火墙访问控制策略中流量访问的目的端口。 | 当DestPortType取值为port时,需要设置该参数。 |
DestPortGroup | String | 否 | 是 | VPC边界防火墙访问控制策略中流量访问的目的端口地址簿名称。 | 当DestPortType取值为group时,需指定该参数。 |
DestPortType | String | 否 | 是 | VPC边界防火墙访问控制策略中流量访问的目的端口类型。 | 取值:
|
Lang | String | 否 | 是 | 请求和接收消息的语言类型。 | 取值:
|
RegionId | String | 否 | 否 | 地域ID。 | 取值:
|
Release | Boolean | 否 | 否 | 访问控制策略的启用状态。 | 策略创建后默认启用该策略。取值:
|
RepeatType | String | 否 | 否 | 访问控制策略的策略有效期的重复类型。 | 取值:
|
StartTime | Integer | 否 | 否 | 访问控制策略的策略有效期的开始时间。 | 使用秒级时间戳格式表示。必须为整点或半点时间,且小于结束时间至少半小时。 说明 当 RepeatType 为 Permanent 时,StartTime 为空。当 RepeatType 为 None、Daily、Weekly、Monthly 时,StartTime 必须有值,您需要设置开始时间。 |
RepeatEndTime | String | 否 | 否 | 访问控制策略的策略有效期的重复结束时间。 | 例如:23:30,必须为整点或半点时间,且大于重复开始时间至少半小时。 说明 当 RepeatType 为 Permanent、None 时,RepeatEndTime 为空。当 RepeatType 为 Daily、Weekly、Monthly 时,RepeatEndTime 必须有值,您需要设置重复结束时间。 |
RepeatDays | List | 否 | 否 | 访问控制策略的策略有效期的重复日期集合。 |
说明 RepeatType 设置为 Weekly 时,RepeatDays 不允许重复。
说明 RepeatType 设置为 Monthly 时,RepeatDays 不允许重复。 |
EndTime | Integer | 否 | 否 | 访问控制策略的策略有效期的结束时间。 | 使用秒级时间戳格式表示。必须为整点或半点时间,且大于开始时间至少半小时。 说明 当 RepeatType 为 Permanent 时,EndTime 为空。当 RepeatType 为 None、Daily、Weekly、Monthly 时,EndTime 必须有值,您需要设置结束时间。 |
RepeatStartTime | String | 否 | 否 | 访问控制策略的策略有效期的重复开始时间。 | 例如:08:00,必须为整点或半点时间,且小于重复结束时间至少半小时。 说明 当 RepeatType 为 Permanent、None 时,RepeatStartTime 为空。当 RepeatType 为 Daily、Weekly、Monthly 时,RepeatStartTime 必须有值,您需要设置重复开始时间。 |
ApplicationNameList | List | 否 | 否 | 应用名称。 | 无 |
MemberUid | String | 否 | 否 | 云防火墙成员账号的 UID。 | 无 |
返回值
Fn::GetAtt
AclUuid:安全访问控制策略的唯一标识ID。
示例
YAML
格式
ROSTemplateFormatVersion: '2015-09-01'
Parameters:
AclAction:
AllowedValues:
- accept
- drop
- log
Description: 'The action that Cloud Firewall performs on the traffic. Valid values:
accept: allows the traffic.
drop: denies the traffic.
log: monitors the traffic.'
Type: String
ApplicationName:
AllowedValues:
- ANY
- FTP
- HTTP
- HTTPS
- MySQL
- SMTP
- SMTPS
- RDP
- VNC
- SSH
- Redis
- MQTT
- MongoDB
- Memcache
- SSL
Description: "The application type that the access control policy supports.\n\
Valid values: \nANY (indicates that all application types are supported) \n\
FTP \nHTTP \nHTTPS \nMySQL \nSMTP \nSMTPS \nRDP \nVNC \nSSH \nRedis \nMQTT \n\
MongoDB \nMemcache \nSSL"
Type: String
Description:
Description: The description of the access control policy.
Type: String
DestPort:
Description: 'The destination port in the access control policy.
Note This parameter must be specified if the DestPortType parameter is set to
port.'
Type: String
DestPortGroup:
Description: 'The address book of destination ports in the access control policy.
Note This parameter must be specified if the DestPortType parameter is set to
group.'
Type: String
DestPortType:
AllowedValues:
- group
- port
Description: 'The type of the destination port in the access control policy. Valid
values:
port: port
group: address book'
Type: String
Destination:
Description: 'The destination address in the access control policy.
Set this parameter in the following way:
If the DestinationType parameter is set to net, set the value to a Classless
Inter-Domain Routing (CIDR) block.
Example: 10.2.3.0/24.
If the DestinationType parameter is set to group, set the value to the name
of an address book.
Example: db_group.
If the DestinationType parameter is set to domain, set the value to a domain
name.
Example: *.aliyuncs.com.'
Type: String
DestinationType:
AllowedValues:
- domain
- group
- net
Description: 'The type of the destination address in the access control policy.
Valid values:
net: CIDR block
group: address book
domain: domain name'
Type: String
Lang:
AllowedValues:
- en
- zh
Description: 'The natural language of the request and response. Valid values:
zh: Chinese
en: English'
Type: String
NewOrder:
Description: 'The priority of the access control policy.
The priority value starts from 1. A smaller priority value indicates a higher
priority.
Note The value of -1 indicates the lowest priority.'
Type: String
Proto:
AllowedValues:
- ANY
- TCP
- UDP
- ICMP
Description: The type of the security protocol in the access control policy.
Type: String
RegionId:
AllowedValues:
- cn-hangzhou
- ap-southeast-1
Default: cn-hangzhou
Description: Region ID. Default to cn-hangzhou.
Type: String
Source:
Description: 'The source address in the access control policy.
If the SourceType parameter is set to net, set the value to a CIDR block. Example:
10.2.3.0/24.
If the SourceType parameter is set to group, set the value to the name of an
address book. Example: db_group.'
Type: String
SourceType:
AllowedValues:
- group
- net
Description: 'The type of the source address in the access control policy. Valid
values:
net: CIDR block
group: address book'
Type: String
VpcFirewallId:
Description: 'The ID of the policy group to which you want to add the access control
policy.
If the VPC firewall is used to protect CEN, set the value to the ID of the CEN
instance
that the VPC firewall protects. Example: cen-ervw5jbw1234*****.
If the VPC firewall is used to protect Express Connect, set the value to the
ID of
the VPC firewall instance. Example: vfw-a42bbb748c91234*****.
Note You can call the DescribeVpcFirewallAclGroupList operation to query the
ID of the policy group.'
Type: String
Resources:
VpcFirewallControlPolicy:
Properties:
AclAction:
Ref: AclAction
ApplicationName:
Ref: ApplicationName
Description:
Ref: Description
DestPort:
Ref: DestPort
DestPortGroup:
Ref: DestPortGroup
DestPortType:
Ref: DestPortType
Destination:
Ref: Destination
DestinationType:
Ref: DestinationType
Lang:
Ref: Lang
NewOrder:
Ref: NewOrder
Proto:
Ref: Proto
RegionId:
Ref: RegionId
Source:
Ref: Source
SourceType:
Ref: SourceType
VpcFirewallId:
Ref: VpcFirewallId
Type: ALIYUN::CLOUDFW::VpcFirewallControlPolicy
Outputs:
AclUuid:
Description: The unique ID of the access control policy.
Value:
Fn::GetAtt:
- VpcFirewallControlPolicy
- AclUuid
JSON
格式
{
"ROSTemplateFormatVersion": "2015-09-01",
"Parameters": {
"Destination": {
"Type": "String",
"Description": "The destination address in the access control policy.\nSet this parameter in the following way:\nIf the DestinationType parameter is set to net, set the value to a Classless Inter-Domain Routing (CIDR) block.\nExample: 10.2.3.0/24.\nIf the DestinationType parameter is set to group, set the value to the name of an address book.\nExample: db_group.\nIf the DestinationType parameter is set to domain, set the value to a domain name.\nExample: *.aliyuncs.com."
},
"ApplicationName": {
"Type": "String",
"Description": "The application type that the access control policy supports.\nValid values: \nANY (indicates that all application types are supported) \nFTP \nHTTP \nHTTPS \nMySQL \nSMTP \nSMTPS \nRDP \nVNC \nSSH \nRedis \nMQTT \nMongoDB \nMemcache \nSSL",
"AllowedValues": [
"ANY",
"FTP",
"HTTP",
"HTTPS",
"MySQL",
"SMTP",
"SMTPS",
"RDP",
"VNC",
"SSH",
"Redis",
"MQTT",
"MongoDB",
"Memcache",
"SSL"
]
},
"Description": {
"Type": "String",
"Description": "The description of the access control policy."
},
"SourceType": {
"Type": "String",
"Description": "The type of the source address in the access control policy. Valid values:\nnet: CIDR block\ngroup: address book",
"AllowedValues": [
"group",
"net"
]
},
"DestPort": {
"Type": "String",
"Description": "The destination port in the access control policy.\nNote This parameter must be specified if the DestPortType parameter is set to port."
},
"AclAction": {
"Type": "String",
"Description": "The action that Cloud Firewall performs on the traffic. Valid values:\naccept: allows the traffic.\ndrop: denies the traffic.\nlog: monitors the traffic.",
"AllowedValues": [
"accept",
"drop",
"log"
]
},
"Lang": {
"Type": "String",
"Description": "The natural language of the request and response. Valid values:\nzh: Chinese\nen: English",
"AllowedValues": [
"en",
"zh"
]
},
"DestinationType": {
"Type": "String",
"Description": "The type of the destination address in the access control policy. Valid values:\nnet: CIDR block\ngroup: address book\ndomain: domain name",
"AllowedValues": [
"domain",
"group",
"net"
]
},
"VpcFirewallId": {
"Type": "String",
"Description": "The ID of the policy group to which you want to add the access control policy.\nIf the VPC firewall is used to protect CEN, set the value to the ID of the CEN instance\nthat the VPC firewall protects. Example: cen-ervw5jbw1234*****.\nIf the VPC firewall is used to protect Express Connect, set the value to the ID of\nthe VPC firewall instance. Example: vfw-a42bbb748c91234*****.\nNote You can call the DescribeVpcFirewallAclGroupList operation to query the ID of the policy group."
},
"Source": {
"Type": "String",
"Description": "The source address in the access control policy.\nIf the SourceType parameter is set to net, set the value to a CIDR block. Example: 10.2.3.0/24.\nIf the SourceType parameter is set to group, set the value to the name of an address book. Example: db_group."
},
"DestPortType": {
"Type": "String",
"Description": "The type of the destination port in the access control policy. Valid values:\nport: port\ngroup: address book",
"AllowedValues": [
"group",
"port"
]
},
"Proto": {
"Type": "String",
"Description": "The type of the security protocol in the access control policy.",
"AllowedValues": [
"ANY",
"TCP",
"UDP",
"ICMP"
]
},
"RegionId": {
"Type": "String",
"Description": "Region ID. Default to cn-hangzhou.",
"AllowedValues": [
"cn-hangzhou",
"ap-southeast-1"
],
"Default": "cn-hangzhou"
},
"NewOrder": {
"Type": "String",
"Description": "The priority of the access control policy.\nThe priority value starts from 1. A smaller priority value indicates a higher priority.\nNote The value of -1 indicates the lowest priority."
},
"DestPortGroup": {
"Type": "String",
"Description": "The address book of destination ports in the access control policy.\nNote This parameter must be specified if the DestPortType parameter is set to group."
}
},
"Resources": {
"VpcFirewallControlPolicy": {
"Type": "ALIYUN::CLOUDFW::VpcFirewallControlPolicy",
"Properties": {
"Destination": {
"Ref": "Destination"
},
"ApplicationName": {
"Ref": "ApplicationName"
},
"Description": {
"Ref": "Description"
},
"SourceType": {
"Ref": "SourceType"
},
"DestPort": {
"Ref": "DestPort"
},
"AclAction": {
"Ref": "AclAction"
},
"Lang": {
"Ref": "Lang"
},
"DestinationType": {
"Ref": "DestinationType"
},
"VpcFirewallId": {
"Ref": "VpcFirewallId"
},
"Source": {
"Ref": "Source"
},
"DestPortType": {
"Ref": "DestPortType"
},
"Proto": {
"Ref": "Proto"
},
"RegionId": {
"Ref": "RegionId"
},
"NewOrder": {
"Ref": "NewOrder"
},
"DestPortGroup": {
"Ref": "DestPortGroup"
}
}
}
},
"Outputs": {
"AclUuid": {
"Description": "The unique ID of the access control policy.",
"Value": {
"Fn::GetAtt": [
"VpcFirewallControlPolicy",
"AclUuid"
]
}
}
}
}