ALIYUN::ECS::SecurityGroupEgress is used to create an outbound access rule for a security group.

Syntax

{
  "Type": "ALIYUN::ECS::SecurityGroupEgress",
  "Properties": {
    "SecurityGroupId": String,
    "IpProtocol": String,
    "PortRange": String,
    "DestGroupId": String,
    "DestCidrIp": String,
    "Policy": String,
    "Priority": String,
    "NicType": String,
    "Ipv6DestCidrIp": String
  }
}

Properties

Property Type Required Editable Description Constraint
IpProtocol String Yes No The transport layer protocol. Valid values:
  • tcp
  • udp
  • icmp
  • gre
  • all
PortRange String Yes No The range of destination ports corresponding to the transport layer protocol. Valid values:
  • When the IpProtocol parameter is set to tcp or udp, the port number range is 1 to 65535. Separate the starting port and ending port with a forward slash (/). Correct example: 1/200. Incorrect example: 200/1.
  • When the IpProtocol parameter is set to icmp, the port number range is -1/-1.
  • When the IpProtocol parameter is set to gre, the port number range is -1/-1.
  • When the IpProtocol parameter is set to all, the port number range is -1/-1.

For use cases of ports, see Common ports used by applications.

SecurityGroupId String No No The ID of the source security group. None
NicType String No No The type of the NIC. Default value: internet. Valid values:
  • internet
  • intranet
If the DestGroupId parameter is specified, but the DestCidrIp parameter is not, this parameter must be set to intranet.
Priority Integer No No The priority of the security group rule. Valid values: 1 to 100.

Default value: 1.

DestGroupId String No No The ID of the destination security group for which you want to set access permissions. You must specify at least one of the DestGroupId and DestCidrIp parameters. If the DestGroupId parameter is specified, but the DestCidrIp parameter is not, the NicType parameter must be set to intranet. If both DestGroupId and DestCidrIp are specified, the DestCidrIp parameter takes precedence.
DestCidrIp String No No The destination CIDR block. IPv4 addresses in the CIDR format are supported.
Policy String No No The authorization policy. Default value: accept. Valid values:
  • accept: grants access.
  • drop: denies access.
Description String No Yes The description of the security group rule. The description must be 1 to 512 characters in length.
DestGroupOwnerId String No No The ID of the Alibaba Cloud account that manages the destination security group when you set a security group rule across accounts. If this parameter is not specified, the access permission is configured for another security group managed by your account. If the DestCidrIp parameter is specified, the DestGroupOwnerId parameter is ignored.
Ipv6DestCidrIp String No No The destination IPv6 CIDR block. IPv6 addresses in the CIDR format are supported. You can only specify the IP addresses of ECS instances in VPCs.

Response parameters

Fn::GetAtt

None.

Examples

JSON format

{
  "ROSTemplateFormatVersion": "2015-09-01",
  "Parameters": {
    "Policy": {
      "Type": "String",
      "Description": "Authorization policies, parameter values can be: accept (accepted access), drop (denied access). Default value is accept.",
      "AllowedValues": [
        "accept",
        "drop"
      ]
    },
    "PortRange": {
      "Type": "String",
      "Description": "Ip protocol relative port range. For tcp and udp, the port rang is [1,65535], using format '1/200'For icmp|gre|all protocel, the port range should be '-1/-1'"
    },
    "Description": {
      "Type": "String",
      "Description": "Description of the security group rule, [1, 512] characters. The default is empty.",
      "MinLength": 1,
      "MaxLength": 512
    },
    "Priority": {
      "Type": "Number",
      "Description": "Authorization policies priority range[1, 100]",
      "MinValue": 1,
      "MaxValue": 100,
      "Default": 1
    },
    "SecurityGroupId": {
      "Type": "String",
      "Description": "Id of the security group."
    },
    "DestGroupOwnerId": {
      "Type": "String",
      "Description": "Dest Group Owner Account ID"
    },
    "IpProtocol": {
      "Type": "String",
      "Description": "Ip protocol for in rule.",
      "AllowedValues": [
        "tcp",
        "udp",
        "icmp",
        "gre",
        "all"
      ]
    },
    "DestCidrIp": {
      "Type": "String",
      "Description": "Dest CIDR Ip Address range. Only IPV4 supported."
    },
    "NicType": {
      "Type": "String",
      "Description": "Network type, could be 'internet' or 'intranet'. Default value is internet.",
      "AllowedValues": [
        "internet",
        "intranet"
      ]
    },
    "Ipv6DestCidrIp": {
      "Type": "String",
      "Description": "Destination IPv6 CIDR address segment. Supports IP address ranges in CIDR format and IPv6 format.\nNote Only VPC type IP addresses are supported."
    },
    "DestGroupId": {
      "Type": "String",
      "Description": "Dest Group Id"
    }
  },
  "Resources": {
    "SecurityGroupEgress": {
      "Type": "ALIYUN::ECS::SecurityGroupEgress",
      "Properties": {
        "Policy": {
          "Ref": "Policy"
        },
        "PortRange": {
          "Ref": "PortRange"
        },
        "Description": {
          "Ref": "Description"
        },
        "Priority": {
          "Ref": "Priority"
        },
        "SecurityGroupId": {
          "Ref": "SecurityGroupId"
        },
        "DestGroupOwnerId": {
          "Ref": "DestGroupOwnerId"
        },
        "IpProtocol": {
          "Ref": "IpProtocol"
        },
        "DestCidrIp": {
          "Ref": "DestCidrIp"
        },
        "NicType": {
          "Ref": "NicType"
        },
        "Ipv6DestCidrIp": {
          "Ref": "Ipv6DestCidrIp"
        },
        "DestGroupId": {
          "Ref": "DestGroupId"
        }
      }
    }
  }
}

YAML format

ROSTemplateFormatVersion: '2015-09-01'
Parameters:
  Policy:
    Type: String
    Description: >-
      Authorization policies, parameter values can be: accept (accepted access),
      drop (denied access). Default value is accept.
    AllowedValues:
      - accept
      - drop
  PortRange:
    Type: String
    Description: >-
      Ip protocol relative port range. For tcp and udp, the port rang is
      [1,65535], using format '1/200'For icmp|gre|all protocel, the port range
      should be '-1/-1'
  Description:
    Type: String
    Description: >-
      Description of the security group rule, [1, 512] characters. The default
      is empty.
    MinLength: 1
    MaxLength: 512
  Priority:
    Type: Number
    Description: 'Authorization policies priority range[1, 100]'
    MinValue: 1
    MaxValue: 100
    Default: 1
  SecurityGroupId:
    Type: String
    Description: Id of the security group.
  DestGroupOwnerId:
    Type: String
    Description: Dest Group Owner Account ID
  IpProtocol:
    Type: String
    Description: Ip protocol for in rule.
    AllowedValues:
      - tcp
      - udp
      - icmp
      - gre
      - all
  DestCidrIp:
    Type: String
    Description: Dest CIDR Ip Address range. Only IPV4 supported.
  NicType:
    Type: String
    Description: >-
      Network type, could be 'internet' or 'intranet'. Default value is
      internet.
    AllowedValues:
      - internet
      - intranet
  Ipv6DestCidrIp:
    Type: String
    Description: >-
      Destination IPv6 CIDR address segment. Supports IP address ranges in CIDR
      format and IPv6 format.

      Note Only VPC type IP addresses are supported.
  DestGroupId:
    Type: String
    Description: Dest Group Id
Resources:
  SecurityGroupEgress:
    Type: 'ALIYUN::ECS::SecurityGroupEgress'
    Properties:
      Policy:
        Ref: Policy
      PortRange:
        Ref: PortRange
      Description:
        Ref: Description
      Priority:
        Ref: Priority
      SecurityGroupId:
        Ref: SecurityGroupId
      DestGroupOwnerId:
        Ref: DestGroupOwnerId
      IpProtocol:
        Ref: IpProtocol
      DestCidrIp:
        Ref: DestCidrIp
      NicType:
        Ref: NicType
      Ipv6DestCidrIp:
        Ref: Ipv6DestCidrIp
      DestGroupId:
        Ref: DestGroupId