ALIYUN::ENS::SecurityGroup类型用于新建一个安全组。
语法
{
"Type": "ALIYUN::ENS::SecurityGroup",
"Properties": {
"Description": String,
"SecurityGroupName": String,
"SecurityGroupIngress": List,
"SecurityGroupEgress": List
}
}属性
属性名称 | 类型 | 必须 | 允许更新 | 描述 | 约束 |
Description | String | 否 | 是 | 描述信息。 | 长度为2~256个字符,必须以字母或中文开头,但不能以 |
SecurityGroupEgress | List | 否 | 是 | 安全组出方向的规则属性列表。 | 更多信息,请参考SecurityGroupEgress属性。 |
SecurityGroupIngress | List | 否 | 是 | 安全组入方向的规则属性列表。 | 更多信息,请参考SecurityGroupIngress属性。 |
SecurityGroupName | String | 否 | 是 | 安全组名称。 | 长度为2~128个英文或中文字符。必须以大小写字母或中文开头,不能以 |
SecurityGroupIngress语法
"SecurityGroupIngress": [
{
"Policy": String,
"PortRange": String,
"SourcePortRange": String,
"Priority": Integer,
"SourceCidrIp": String,
"IpProtocol": String
}
]SecurityGroupIngress属性
属性名称 | 类型 | 必须 | 允许更新 | 描述 | 约束 |
IpProtocol | String | 是 | 否 | 传输层协议。 | 取值大小写敏感。取值范围:
|
PortRange | String | 是 | 否 | 安全组开放的传输层协议相关的端口范围。 | 取值范围:
|
Policy | String | 否 | 否 | 设置访问权限。 | 取值范围:
|
Priority | Integer | 否 | 否 | 安全组规则优先级。 | 取值范围:1~100。 默认值:1。 |
SourceCidrIp | String | 否 | 否 | 源端IP地址范围。 | 支持CIDR格式和IPv4格式的IP地址范围。 |
SourcePortRange | String | 否 | 否 | 源端安全组开放的传输层协议相关的端口范围。 | 取值范围:
|
SecurityGroupEgress语法
"SecurityGroupEgress": [
{
"Policy": String,
"PortRange": String,
"SourcePortRange": String,
"Priority": Integer,
"IpProtocol": String,
"DestCidrIp": String
}
]SecurityGroupEgress属性
属性名称 | 类型 | 必须 | 允许更新 | 描述 | 约束 |
IpProtocol | String | 是 | 否 | 传输层协议。 | 取值大小写敏感。取值范围:
|
PortRange | String | 是 | 否 | 安全组开放的传输层协议相关的端口范围。 | 取值范围:
|
DestCidrIp | String | 否 | 否 | 目的端IP地址范围。 | 支持CIDR格式和IPv4格式的IP地址范围。 |
Policy | String | 否 | 否 | 设置访问权限。 | 取值范围:
|
Priority | Integer | 否 | 否 | 安全组规则优先级。 | 取值范围:1~100,默认值为1。 |
SourcePortRange | String | 否 | 否 | 源端安全组开放的传输层协议相关的端口范围。 | 取值范围:
|
返回值
Fn::GetAtt
SecurityGroupId:安全组ID。
示例
YAML格式
ROSTemplateFormatVersion: '2015-09-01'
Parameters:
SecurityGroupName:
Type: String
Description:
en: The name of the security group. The name must be 2 to 128 characters in length. The name must start with a letter and cannot start with http:// or https://. It can contain letters, digits, colons (:), underscores (_), and hyphens (-). By default, this parameter is empty.
Required: false
SecurityGroupIngress:
AssociationPropertyMetadata:
Parameters:
Policy:
Type: String
Description:
en: 'Authorization policies, parameter values can be: accept (accepted access), drop (denied access). Default value is accept.'
AllowedValues:
- accept
- drop
Required: false
PortRange:
Type: String
Description:
en: Ip protocol relative port range. For tcp and udp, the port rang is [1,65535], using format '1/200'For icmp|gre|all protocel, the port range should be '-1/-1'
Required: true
SourcePortRange:
Type: String
Description:
en: 'The range of the ports enabled by the source security group for the transport layer protocol. Valid values: TCP/UDP: Value range: 1 to 65535. The start port and the end port are separated by a slash (/). Correct example: 1/200. Incorrect example: 200/1.ICMP: -1/-1.GRE: -1/-1.ALL: -1/-1.'
Required: false
Priority:
Type: Number
Description:
en: Authorization policies priority range[1, 100]
Required: false
MinValue: 1
MaxValue: 100
Default: 1
SourceCidrIp:
Type: String
Description:
en: Source CIDR Ip Address range.
Required: false
IpProtocol:
Type: String
Description:
en: Ip protocol for in rule.
AllowedValues:
- tcp
- udp
- icmp
- gre
- all
Required: true
AssociationProperty: List[Parameters]
Type: Json
Description:
en: Ingress rules for the security group.
Required: false
SecurityGroupEgress:
AssociationPropertyMetadata:
Parameters:
Policy:
Type: String
Description:
en: 'Authorization policies, parameter values can be: accept (accepted access), drop (denied access). Default value is accept.'
AllowedValues:
- accept
- drop
Required: false
PortRange:
Type: String
Description:
en: Ip protocol relative port range. For tcp and udp, the port rang is [1,65535], using format '1/200'For icmp|gre|all protocel, the port range should be '-1/-1'
Required: true
SourcePortRange:
Type: String
Description:
en: 'The range of the ports enabled by the source security group for the transport layer protocol. Valid values: TCP/UDP: Value range: 1 to 65535. The start port and the end port are separated by a slash (/). Correct example: 1/200. Incorrect example: 200/1.ICMP: -1/-1.GRE: -1/-1.ALL: -1/-1.'
Required: false
Priority:
Type: Number
Description:
en: Authorization policies priority range[1, 100]
Required: false
MinValue: 1
MaxValue: 100
Default: 1
IpProtocol:
Type: String
Description:
en: Ip protocol for in rule.
AllowedValues:
- tcp
- udp
- icmp
- gre
- all
Required: true
DestCidrIp:
Type: String
Description:
en: Dest CIDR Ip Address range.
Required: false
AssociationProperty: List[Parameters]
Type: Json
Description:
en: egress rules for the security group.
Required: false
Resources:
SecurityGroup:
Type: ALIYUN::ENS::SecurityGroup
Properties:
SecurityGroupName:
Ref: SecurityGroupName
SecurityGroupIngress:
Ref: SecurityGroupIngress
SecurityGroupEgress:
Ref: SecurityGroupEgress
Outputs:
SecurityGroupId:
Description: The ID of the security group.
Value:
Fn::GetAtt:
- SecurityGroup
- SecurityGroupId
JSON格式
{
"ROSTemplateFormatVersion": "2015-09-01",
"Parameters": {
"SecurityGroupName": {
"Type": "String",
"Description": {
"en": "The name of the security group. The name must be 2 to 128 characters in length. The name must start with a letter and cannot start with http:// or https://. It can contain letters, digits, colons (:), underscores (_), and hyphens (-). By default, this parameter is empty."
},
"Required": false
},
"SecurityGroupIngress": {
"AssociationPropertyMetadata": {
"Parameters": {
"Policy": {
"Type": "String",
"Description": {
"en": "Authorization policies, parameter values can be: accept (accepted access), drop (denied access). Default value is accept."
},
"AllowedValues": [
"accept",
"drop"
],
"Required": false
},
"PortRange": {
"Type": "String",
"Description": {
"en": "Ip protocol relative port range. For tcp and udp, the port rang is [1,65535], using format '1/200'For icmp|gre|all protocel, the port range should be '-1/-1'"
},
"Required": true
},
"SourcePortRange": {
"Type": "String",
"Description": {
"en": "The range of the ports enabled by the source security group for the transport layer protocol. Valid values: TCP/UDP: Value range: 1 to 65535. The start port and the end port are separated by a slash (/). Correct example: 1/200. Incorrect example: 200/1.ICMP: -1/-1.GRE: -1/-1.ALL: -1/-1."
},
"Required": false
},
"Priority": {
"Type": "Number",
"Description": {
"en": "Authorization policies priority range[1, 100]"
},
"Required": false,
"MinValue": 1,
"MaxValue": 100,
"Default": 1
},
"SourceCidrIp": {
"Type": "String",
"Description": {
"en": "Source CIDR Ip Address range."
},
"Required": false
},
"IpProtocol": {
"Type": "String",
"Description": {
"en": "Ip protocol for in rule."
},
"AllowedValues": [
"tcp",
"udp",
"icmp",
"gre",
"all"
],
"Required": true
}
}
},
"AssociationProperty": "List[Parameters]",
"Type": "Json",
"Description": {
"en": "Ingress rules for the security group."
},
"Required": false
},
"SecurityGroupEgress": {
"AssociationPropertyMetadata": {
"Parameters": {
"Policy": {
"Type": "String",
"Description": {
"en": "Authorization policies, parameter values can be: accept (accepted access), drop (denied access). Default value is accept."
},
"AllowedValues": [
"accept",
"drop"
],
"Required": false
},
"PortRange": {
"Type": "String",
"Description": {
"en": "Ip protocol relative port range. For tcp and udp, the port rang is [1,65535], using format '1/200'For icmp|gre|all protocel, the port range should be '-1/-1'"
},
"Required": true
},
"SourcePortRange": {
"Type": "String",
"Description": {
"en": "The range of the ports enabled by the source security group for the transport layer protocol. Valid values: TCP/UDP: Value range: 1 to 65535. The start port and the end port are separated by a slash (/). Correct example: 1/200. Incorrect example: 200/1.ICMP: -1/-1.GRE: -1/-1.ALL: -1/-1."
},
"Required": false
},
"Priority": {
"Type": "Number",
"Description": {
"en": "Authorization policies priority range[1, 100]"
},
"Required": false,
"MinValue": 1,
"MaxValue": 100,
"Default": 1
},
"IpProtocol": {
"Type": "String",
"Description": {
"en": "Ip protocol for in rule."
},
"AllowedValues": [
"tcp",
"udp",
"icmp",
"gre",
"all"
],
"Required": true
},
"DestCidrIp": {
"Type": "String",
"Description": {
"en": "Dest CIDR Ip Address range."
},
"Required": false
}
}
},
"AssociationProperty": "List[Parameters]",
"Type": "Json",
"Description": {
"en": "egress rules for the security group."
},
"Required": false
}
},
"Resources": {
"SecurityGroup": {
"Type": "ALIYUN::ENS::SecurityGroup",
"Properties": {
"SecurityGroupName": {
"Ref": "SecurityGroupName"
},
"SecurityGroupIngress": {
"Ref": "SecurityGroupIngress"
},
"SecurityGroupEgress": {
"Ref": "SecurityGroupEgress"
}
}
}
},
"Outputs": {
"SecurityGroupId": {
"Description": "The ID of the security group.",
"Value": {
"Fn::GetAtt": [
"SecurityGroup",
"SecurityGroupId"
]
}
}
}
}