ALIYUN::ECS::SecurityGroupIngress is used to create an inbound access rule for a security group.

Statement

{
  "Type": "ALIYUN::ECS::SecurityGroupIngress",
  "Properties": {
    "SourceGroupOwnerId": String,
    "Description": String,
    "PortRange": String,
    "SecurityGroupId": String,
    "NicType": String,
    "Ipv6SourceCidrIp": String,
    "Priority": Integer,
    "SourceGroupId": String,
    "Policy": String,
    "IpProtocol": String,
    "SourcePortRange": String,
    "SourceCidrIp": String
  }
}

Properties

Parameter Type Required Editable Description Constraint
IpProtocol String No No The Internet protocol over which the listener will forward requests. Valid values: tcp, udp, icmp, gre, and all. A value of all specifies that all the four protocols are supported.
PortRange String No No The range of destination ports relevant to transport layer protocols. Valid values:
  • When the IpProtocol parameter is set to tcp or udp, the port number range is 1 to 65535. Separate the starting port and the ending port with a forward slash (/). Correct example: 1/200. Incorrect example: 200/1.
  • When the IpProtocol parameter is set to icmp, the port number range is -1/-1, indicating that all ports are available.
  • When the IpProtocol parameter is set to gre, the port number range is -1/-1, indicating that all ports are available.
  • When the IpProtocol parameter is set to all, the port number range is -1/-1, indicating that all ports are available.

For more information about the application scenarios of the ports, see Typical applications of commonly used ports.

SourceGroupId String Yes Released The ID of the source security group for which you want to set access permissions. You must specify at least one of the SourceGroupId and SourceCidrIp parameters. If the SourceGroupId parameter is specified, but the SourceCidrIp parameter is not, the NicType parameter must be set to intranet. If both the SourceGroupId and SourceCidrIp parameters are specified, the SourceCidrIp parameter prevails by default.
SecurityGroupId String Yes Released The ID of the security group for which you want to create the inbound access rule. None
NicType String Yes Released The network type of the instance. Valid values: Valid values:
  • Network interface controller
  • intranet

Default value: internet.

SourceGroupOwnerAccount String Yes Released The Alibaba Cloud account that manages the source security group when you set a security group rule across accounts. If neither the SourceGroupOwnerAccount parameter nor the SourceGroupOwnerId parameter is specified, the access permission is configured for another security group managed by your account. If the SourceCidrIp parameter is specified, this parameter is ignored.
Priority String Optional Released The priority of the security group rule. Valid values: 1 to 100.

Default value: 1

SourceCidrIp String Yes Released The source IPv4 CIDR block. Only IPv4 CIDR blocks are supported.
Policy String Yes Released The access permission. Valid values:
  • accept: grants access
  • drop: denies access

Default value: accept.

SourceGroupOwnerId String Yes Released The ID of the Alibaba Cloud account that manages the source security group when you set a security group rule across accounts. If neither the SourceGroupOwnerId parameter nor the SourceGroupOwnerAccount parameter is specified, the access permission is configured for another security group managed by your account. If the SourceCidrIp parameter is specified, this parameter is ignored.
Description String Yes True The description of the security group rule. The description must be 1 to 512 characters in length.
SourcePortRange String Yes Released The range of source ports relevant to transport layer protocols. Valid values:
  • When the IpProtocol parameter is set to tcp or udp, the port number range is 1 to 65535. Separate the starting port and the ending port with a forward slash (/). Correct example: 1/200. Incorrect example: 200/1.
  • When the IpProtocol parameter is set to icmp, the port number range is -1/-1, indicating that all ports are available.
  • When the IpProtocol parameter is set to gre, the port number range is -1/-1, indicating that all ports are available.
  • When the IpProtocol parameter is set to all, the port number range is -1/-1, indicating that all ports are available.
Ipv6SourceCidrIp String Yes Released The source IPv6 CIDR block. IPv6 CIDR blocks are supported. You can only specify the IP addresses of ECS instances in VPCs.

Response parameters

Fn::GetAtt

None

Sample request

{
  "ROSTemplateFormatVersion": "2015-09-01",
  "Resources": {
    "SG": {
      "Type": "ALIYUN::ECS::SecurityGroupIngress",
      "Properties": {
        "SecurityGroupId": "sg-25bow****",
        "IpProtocol": "tcp",
        "PortRange": "65535/65535",
        "SourceCidrIp": "0.0.0.0/0"
      }
    }
  }
}