ALIYUN::ECS::SecurityGroupEgress is used to create an outbound access rule for a security group.
Syntax
{
"Type": "ALIYUN::ECS::SecurityGroupEgress",
"Properties": {
"SecurityGroupId": String,
"IpProtocol": String,
"PortRange": String,
"DestGroupId": String,
"DestCidrIp": String,
"Policy": String,
"Priority": String,
"NicType": String,
"DestPrefixListId": String,
"Ipv6DestCidrIp": String
}
}Properties
| Property | Type | Required | Editable | Description | Constraint |
|---|---|---|---|---|---|
| IpProtocol | String | Yes | No | The transport layer protocol. | Valid values:
|
| PortRange | String | Yes | No | The range of ports that you want to configure for the transport layer protocol in the destination security group. | Valid values:
For more information about the scenarios of ports, see Typical applications of commonly used ports. |
| SecurityGroupId | String | No | No | The ID of the source security group. | None |
| DestPrefixListId | String | No | No | The ID of the destination prefix list on which you want to grant outbound access permissions. | You can call the DescribePrefixLists operation to query the IDs of available prefix lists.
If a security group is in the classic network, you cannot configure prefix lists in the security group rule. For more information, see the "Security group limits" section in Limits. If you specify the DestCidrIp, Ipv6DestCidrIp, or DestGroupId property, the system ignores the value of the DestPrefixListId property. |
| NicType | String | No | No | The type of the network interface controller (NIC). | Default value: internet. Valid values:
|
| Priority | Integer | No | No | The priority of the security group rule. | Valid values: 1 to 100.
Default value: 1. |
| DestGroupId | String | No | No | The ID of the destination security group on which you want to grant outbound access permissions. | You must specify at least one of the DestGroupId and DestCidrIp properties.
If you specify the DestGroupId property, but leave the DestCidrIp property empty, you must set the NicType property to intranet. If you specify both the DestGroupId and DestCidrIp properties, the value of the DestCidrIp property is used. |
| DestCidrIp | String | No | No | The destination CIDR block. | IPv4 CIDR blocks are supported. |
| Policy | String | No | No | The action of the rule that determines whether to accept outbound access. | Default value: accept. Valid values:
|
| Description | String | No | Yes | The description of the security group rule. | The description must be 1 to 512 characters in length. |
| DestGroupOwnerId | String | No | No | The ID of the Alibaba Cloud account that is used to manage the destination security group when you configure a security group rule across accounts. | If you leave this property empty, the outbound access permissions are granted on other security groups within your account. If you specify the DestCidrIp property, the system ignores the value of the DestGroupOwnerId property. |
| Ipv6DestCidrIp | String | No | No | The destination IPv6 CIDR block. | CIDR blocks and IPv6 addresses are supported. You can specify only the IP addresses of the virtual private cloud (VPC) type. |
Return values
Fn::GetAtt
None.
Examples
-
JSONformat{ "ROSTemplateFormatVersion": "2015-09-01", "Parameters": { "Policy": { "Type": "String", "Description": "Authorization policies, parameter values can be: accept (accepted access), drop (denied access). Default value is accept.", "AllowedValues": [ "accept", "drop" ] }, "PortRange": { "Type": "String", "Description": "Ip protocol relative port range. For tcp and udp, the port rang is [1,65535], using format '1/200'For icmp|gre|all protocel, the port range should be '-1/-1'" }, "Description": { "Type": "String", "Description": "Description of the security group rule, [1, 512] characters. The default is empty.", "MinLength": 1, "MaxLength": 512 }, "Priority": { "Type": "Number", "Description": "Authorization policies priority range[1, 100]", "MinValue": 1, "MaxValue": 100, "Default": 1 }, "SecurityGroupId": { "Type": "String", "Description": "Id of the security group." }, "DestGroupOwnerId": { "Type": "String", "Description": "Dest Group Owner Account ID" }, "IpProtocol": { "Type": "String", "Description": "Ip protocol for in rule.", "AllowedValues": [ "tcp", "udp", "icmp", "gre", "all" ] }, "DestCidrIp": { "Type": "String", "Description": "Dest CIDR Ip Address range. Only IPV4 supported." }, "NicType": { "Type": "String", "Description": "Network type, could be 'internet' or 'intranet'. Default value is internet.", "AllowedValues": [ "internet", "intranet" ] }, "Ipv6DestCidrIp": { "Type": "String", "Description": "Destination IPv6 CIDR address segment. Supports IP address ranges in CIDR format and IPv6 format.\nNote Only VPC type IP addresses are supported." }, "DestGroupId": { "Type": "String", "Description": "Dest Group Id" } }, "Resources": { "SecurityGroupEgress": { "Type": "ALIYUN::ECS::SecurityGroupEgress", "Properties": { "Policy": { "Ref": "Policy" }, "PortRange": { "Ref": "PortRange" }, "Description": { "Ref": "Description" }, "Priority": { "Ref": "Priority" }, "SecurityGroupId": { "Ref": "SecurityGroupId" }, "DestGroupOwnerId": { "Ref": "DestGroupOwnerId" }, "IpProtocol": { "Ref": "IpProtocol" }, "DestCidrIp": { "Ref": "DestCidrIp" }, "NicType": { "Ref": "NicType" }, "Ipv6DestCidrIp": { "Ref": "Ipv6DestCidrIp" }, "DestGroupId": { "Ref": "DestGroupId" } } } } }