ALIYUN::ECS::SecurityGroupIngress is used to create an inbound rule for a security group.

Syntax

{
  "Type": "ALIYUN::ECS::SecurityGroupIngress",
  "Properties": {
    "SourceGroupOwnerId": String,
    "Description": String,
    "PortRange": String,
    "SecurityGroupId": String,
    "NicType": String,
    "Ipv6SourceCidrIp": String,
    "Priority": Integer,
    "SourceGroupId": String,
    "Policy": String,
    "IpProtocol": String,
    "SourcePortRange": String,
    "SourceCidrIp": String,
    "SourcePrefixListId": String
  }
}

Properties

PropertyTypeRequiredEditableDescriptionConstraint
IpProtocol String Yes No The transport layer protocol. Valid values:
  • tcp: Transmission Control Protocol (TCP).
  • udp: User Datagram Protocol (UDP).
  • icmp: Internet Control Message Protocol (ICMP).
  • gre: Generic Routing Encapsulation (GRE).
  • all: All preceding protocols are supported.
PortRange String YesNo The range of port numbers that correspond to the transport layer protocol for the destination security group. Valid values:
  • Valid value if you set the IpProtocol property to tcp or udp: 1/65535. Separate the start port number and the end port number with a forward slash (/). Example of a valid value: 1/200. Example of an invalid value: 200/1.
  • Valid value if you set the IpProtocol property to icmp: -1/-1.
  • Valid value if you set the IpProtocol property to gre: -1/-1.
  • Valid value if you set the IpProtocol property to all: -1/-1.

For more information about the scenarios in which ports are used, see Typical applications of commonly used ports.

SourcePrefixListIdStringNoNoThe ID of the destination prefix list to which you want to control inbound access. You can call the DescribePrefixLists operation to query the IDs of available prefix lists.

If a security group resides in the classic network, you cannot configure prefix lists in the security group rule. For more information, see the "Security group limits" section of the Limits topic.

If you specify the SourceCidrIp, Ipv6SourceCidrIp, or SourceGroupId property, the system ignores the value of the SourcePrefixListId property.

SourceGroupId String No No The ID of the source security group on which you want to grant inbound access permissions. You must specify the SourceGroupId or SourceCidrIp property.

If you specify only the SourceGroupId property, you must set the NicType property to intranet.

If you specify both the SourceGroupId and SourceCidrIp properties, the SourceCidrIp property takes precedence.
SecurityGroupId String No No The ID of the security group for which you want to create the inbound rule. None.
NicType String No No The type of the network interface controller (NIC). Default value: internet. Valid values:
  • internet: public NIC
  • intranet: internal NIC
If you specify the DestGroupId property, but leave the DestCidrIp property empty, you must set the NicType property to intranet.
Priority Integer No No The priority of the inbound rule. Valid values: 1 to 100.

Default value: 1.

SourceCidrIpString No No The source IPv4 CIDR block. Only IPv4 CIDR blocks are supported.
Policy String No No The rule action that determines whether to accept inbound access. Default value: accept. Valid values:
  • accept
  • drop
SourceGroupOwnerIdStringNoNoThe ID of the Alibaba Cloud account to which the source security group belongs when you configure a security group rule across accounts. If you do not specify the DestGroupOwnerId property, the access permissions are granted to another security group that belongs to your Alibaba Cloud account.

If you specify the SourceCidrIp property, the SourceGroupOwnerId property is ignored.

DescriptionStringNoYesThe description of the inbound rule. The description must be 1 to 512 characters in length.
SourcePortRangeStringNoNoThe range of port numbers that correspond to the transport layer protocol for the source security group. Valid values:
  • Valid value if you set the IpProtocol property to tcp or udp: 1/65535. Separate the start port number and the end port number with a forward slash (/). Example of a valid value: 1/200. Example of an invalid value: 200/1.
  • Valid value if you set the IpProtocol property to icmp: -1/-1.
  • Valid value if you set the IpProtocol property to gre: -1/-1.
  • Valid value if you set the IpProtocol property to all: -1/-1.
Ipv6SourceCidrIpStringNoNoThe source IPv6 CIDR block. The value must be in the CIDR format. You can specify only IP addresses of the virtual private cloud (VPC) type.

Return values

Fn::GetAtt

None.

Examples

  • YAML format

    ROSTemplateFormatVersion: '2015-09-01'
    Parameters:
      SecurityGroupId:
        Type: String
        AssociationProperty: ALIYUN::ECS::SecurityGroup::SecurityGroupId
        Label:
           
          en: Security Group ID
    Resources:
      SecurityGroupIngress:
        Type: ALIYUN::ECS::SecurityGroupIngress
        Properties:
          SecurityGroupId:
            Ref: SecurityGroupId
          SourceCidrIp: 0.0.0.0/0
          IpProtocol: all
          NicType: intranet
          PortRange: '-1/-1'
  • JSON format

    {
      "ROSTemplateFormatVersion": "2015-09-01",
      "Parameters": {
        "SecurityGroupId": {
          "Type": "String",
          "AssociationProperty": "ALIYUN::ECS::SecurityGroup::SecurityGroupId",
          "Label": {
             
            "en": "Security Group ID"
          }
        }
      },
      "Resources": {
        "SecurityGroupIngress": {
          "Type": "ALIYUN::ECS::SecurityGroupIngress",
          "Properties": {
            "SecurityGroupId": {
              "Ref": "SecurityGroupId"
            },
            "SourceCidrIp": "0.0.0.0/0",
            "IpProtocol": "all",
            "NicType": "intranet",
            "PortRange": "-1/-1"
          }
        }
      }
    }