ALIYUN::ECS::SecurityGroup is used to create a security group.
Syntax
{
"Type": "ALIYUN::ECS::SecurityGroup",
"Properties": {
"VpcId": String,
"Description": String,
"SecurityGroupName": String,
"Tags": List,
"SecurityGroupEgress": List,
"SecurityGroupIngress": List,
"ResourceGroupId": String,
"SecurityGroupType": String
}
}
Properties
Property | Type | Required | Editable | Description | Constraint |
---|---|---|---|---|---|
ResourceGroupId | String | No | No | The ID of the resource group to which the instance belongs. | None |
VpcId | String | No | No | The ID of the VPC. | None |
Description | String | No | No | The description of the security group. | The description must be 2 to 256 characters in length. |
Tags | List | No | Yes | The tags of the security group. | A maximum of 20 tags can be specified.
For more information, see Tags properties. |
SecurityGroupName | String | No | No | The name of the security group. | The parameter is empty by default.
|
SecurityGroupEgress | List | No | Yes | The outbound access rules of the security group. | For more information, see SecurityGroupEgress properties. |
SecurityGroupIngress | List | No | Yes | The inbound access rules of the security group. | For more information, see SecurityGroupIngress properties. |
SecurityGroupType | String | No | No | The type of the security group. | Valid values:
|
Tags syntax
"Tags": [
{
"Value" : String,
"Key" : String
}
]
Tags properties
Property | Type | Required | Editable | Description | Constraint |
---|---|---|---|---|---|
Key | String | Yes | No | The tag key. | The tag key must be 1 to 128 characters in length and cannot contain http:// or https:// . It cannot start with acs: or aliyun .
|
Value | String | No | No | The tag value. | The tag value must be 0 to 128 characters in length and cannot contain http:// or https:// . It cannot start with acs: or aliyun .
|
SecurityGroupEgress syntax
"SecurityGroupEgress": [
{
"Description": String,
"PortRange": String,
"SecurityGroupId": String,
"NicType": String,
"Priority": Integer,
"DestGroupId": String,
"DestCidrIp": String,
"Policy": String,
"IpProtocol": String,
"DestGroupOwnerId": String,
"Ipv6DestCidrIp": String
}
]
SecurityGroupEgress properties
Property | Type | Required | Editable | Description | Constraint |
---|---|---|---|---|---|
Description | String | No | Yes | The description of the security group rule. | The description must be 1 to 512 characters in length. |
DestGroupOwnerId | String | No | No | The ID of the Alibaba Cloud account that manages the destination security group when you set a security group rule across accounts. | If you do not specify this parameter, the access permission is configured for another security group managed by your account. If you specify the DestCidrIp parameter, the DestGroupOwnerId parameter is ignored. |
IpProtocol | String | Yes | No | The Internet protocol. | Valid values:
|
PortRange | String | Yes | No | The range of port numbers corresponding to the Internet protocol. | The range of destination port numbers corresponding to the transport layer protocol.
|
SecurityGroupId | String | No | No | The ID of the security group for which you want to create an outbound rule. | None |
NicType | String | No | No | The network type of the instance. | Default value: internet. Valid values:
|
Priority | Integer | No | No | The priority of the authorization policy. | Valid values: 1 to 100.
Default value: 1. |
DestGroupId | String | No | No | The ID of the destination security group within the same region. | You must specify at least one of the DestGroupId and DestCidrIp parameters.
|
DestCidrIp | String | No | No | The destination IPv4 CIDR block. | The value must be in the CIDR format.
The default value is 0.0.0.0/0, which includes every possible IP address. Examples of other supported formats include 10.159.XX.XX/12.A maximum of 10 IP addresses or CIDR blocks can be specified. Separate multiple IP addresses or CIDR blocks with commas (,). Note Only IPv4 addresses are supported.
|
Policy | String | No | No | The authorization policy. | Default value: accept. Valid values:
|
Ipv6DestCidrIp | String | No | No | The destination IPv6 CIDR block. | IPv6 addresses in the CIDR format are supported. You can only specify the IP addresses of ECS instances in VPCs. |
SecurityGroupIngress syntax
"SecurityGroupIngress": [
{
"SourceGroupOwnerId": String,
"Description": String,
"PortRange": String,
"SecurityGroupId": String,
"NicType": String,
"Ipv6SourceCidrIp": String,
"Priority": Integer,
"SourceGroupId": String,
"Policy": String,
"IpProtocol": String,
"SourcePortRange": String,
"SourceCidrIp": String
}
]
SecurityGroupIngress properties
Property | Type | Required | Editable | Description | Constraint |
---|---|---|---|---|---|
SourceGroupOwnerId | String | No | No | The ID of the Alibaba Cloud account that owns the source security group. | None |
Description | String | No | Yes | The description of the security group rule. | The description must be 1 to 512 characters in length. |
IpProtocol | String | Yes | No | The Internet protocol. | Valid values:
|
PortRange | String | Yes | No | The range of port numbers corresponding to the Internet protocol. | The range of destination port numbers corresponding to the transport layer protocol.
|
SourceGroupId | String | No | No | The ID of the source security group within the same region. | You must specify at least one of the SourceGroupId and SourceCidrIp parameters.
|
SecurityGroupId | String | No | No | The ID of the security group for which you want to create an inbound rule. | None |
NicType | String | No | No | The network type of the instance. | Default value: internet. Valid values:
|
Priority | Integer | No | No | The priority of the authorization policy. | Valid values: 1 to 100.
Default value: 1. |
SourceCidrIp | String | No | No | The source IPv4 CIDR block. | The value must be in the CIDR format.
The default value is 0.0.0.0/0, which includes every possible IP address. Examples of other supported formats include 10.159.XX.XX/12. A maximum of 10 IP addresses or CIDR blocks can be specified. Separate multiple IP addresses or CIDR blocks with commas (,). Note Only IPv4 addresses are supported.
|
Policy | String | No | No | The authorization policy. | Default value: accept. Valid values:
|
SourcePortRange | String | No | No | The range of source port numbers corresponding to the transport layer protocol. |
|
Ipv6SourceCidrIp | String | No | No | The source IPv6 CIDR block. | You can only specify the IP addresses of ECS instances in VPCs. IPv6 addresses in the CIDR format are supported. |
Response parameters
Fn::GetAtt
SecurityGroupId: the ID of the security group.
Examples
JSON
format
{
"ROSTemplateFormatVersion": "2015-09-01",
"Parameters": {
"Description": {
"Type": "String",
"Description": "Description of the security group, [2, 256] characters. Do not fill or empty, the default is empty."
},
"VpcId": {
"Type": "String",
"Description": "Physical ID of the VPC."
},
"SecurityGroupName": {
"Type": "String",
"Description": "Display name of the security group, [2, 128] English or Chinese characters, must start with a letter or Chinese in size, can contain numbers, '_' or '.', '-'"
},
"ResourceGroupId": {
"Type": "String",
"Description": "Resource group id."
},
"SecurityGroupType": {
"Type": "String",
"Description": "The type of the security group. Valid values:\nnormal: basic security group\nenterprise: advanced security group",
"AllowedValues": [
"normal",
"enterprise"
]
},
"SecurityGroupIngress": {
"Type": "Json",
"Description": "Ingress rules for the security group."
},
"Tags": {
"Type": "Json",
"Description": "Tags to attach to instance. Max support 20 tags to add during create instance. Each tag with two properties Key and Value, and Key is required.",
"MaxLength": 20
},
"SecurityGroupEgress": {
"Type": "Json",
"Description": "egress rules for the security group."
}
},
"Resources": {
"SecurityGroup": {
"Type": "ALIYUN::ECS::SecurityGroup",
"Properties": {
"Description": {
"Ref": "Description"
},
"VpcId": {
"Ref": "VpcId"
},
"SecurityGroupName": {
"Ref": "SecurityGroupName"
},
"ResourceGroupId": {
"Ref": "ResourceGroupId"
},
"SecurityGroupType": {
"Ref": "SecurityGroupType"
},
"SecurityGroupIngress": {
"Ref": "SecurityGroupIngress"
},
"Tags": {
"Ref": "Tags"
},
"SecurityGroupEgress": {
"Ref": "SecurityGroupEgress"
}
}
}
},
"Outputs": {
"SecurityGroupId": {
"Description": "generated security group id for security group.",
"Value": {
"Fn::GetAtt": [
"SecurityGroup",
"SecurityGroupId"
]
}
}
}
}
YAML
format
ROSTemplateFormatVersion: '2015-09-01'
Parameters:
Description:
Type: String
Description: >-
Description of the security group, [2, 256] characters. Do not fill or
empty, the default is empty.
VpcId:
Type: String
Description: Physical ID of the VPC.
SecurityGroupName:
Type: String
Description: >-
Display name of the security group, [2, 128] English or Chinese
characters, must start with a letter or Chinese in size, can contain
numbers, '_' or '.', '-'
ResourceGroupId:
Type: String
Description: Resource group id.
SecurityGroupType:
Type: String
Description: |-
The type of the security group. Valid values:
normal: basic security group
enterprise: advanced security group
AllowedValues:
- normal
- enterprise
SecurityGroupIngress:
Type: Json
Description: Ingress rules for the security group.
Tags:
Type: Json
Description: >-
Tags to attach to instance. Max support 20 tags to add during create
instance. Each tag with two properties Key and Value, and Key is required.
MaxLength: 20
SecurityGroupEgress:
Type: Json
Description: egress rules for the security group.
Resources:
SecurityGroup:
Type: 'ALIYUN::ECS::SecurityGroup'
Properties:
Description:
Ref: Description
VpcId:
Ref: VpcId
SecurityGroupName:
Ref: SecurityGroupName
ResourceGroupId:
Ref: ResourceGroupId
SecurityGroupType:
Ref: SecurityGroupType
SecurityGroupIngress:
Ref: SecurityGroupIngress
Tags:
Ref: Tags
SecurityGroupEgress:
Ref: SecurityGroupEgress
Outputs:
SecurityGroupId:
Description: generated security group id for security group.
Value:
'Fn::GetAtt':
- SecurityGroup
- SecurityGroupId