ALIYUN::ECS::SecurityGroup - Resource Types| Alibaba Cloud Documentation Center

Syntax

{
  "Type": "ALIYUN::ECS::SecurityGroup",
  "Properties": {
    "VpcId": String,
    "Description": String,
    "SecurityGroupName": String,
    "Tags": List,
    "SecurityGroupEgress": List,
    "SecurityGroupIngress": List,
    "ResourceGroupId": String,
    "SecurityGroupType": String
  }
}

Properties


Property	Type	Required	Editable	Description	Constraint
ResourceGroupId	String	No	No	The ID of the resource group to which the ECS instance belongs.	None
VpcId	String	No	No	The ID of the VPC.	None
Description	String	No	No	The description of the security group.	It must be 2 to 256 characters in length.
Tags	List	No	Yes	The tags of the security group.	A maximum of 20 tags can be specified. For more information, see Tags properties.
SecurityGroupName	String	No	No	The name of the security group.	Default value: empty. The name must be 2 to 128 characters in length and can contain letters, digits, periods (.), underscores (_), and hyphens (-). The name must start with a letter and cannot start with `http://` or `https://`.
SecurityGroupEgress	List	No	Yes	The outbound access rules of the security group.	For more information, see SecurityGroupEgress properties.
SecurityGroupIngress	List	No	Yes	The inbound access rules of the security group.	For more information, see SecurityGroupIngress properties.
SecurityGroupType	String	No	No	The type of the security group.	Valid values: normal: a basic security group enterprise: an advanced security group

Tags syntax

"Tags": [
  {
    "Value" : String,
    "Key" : String
  }
]

Tags properties


Property	Type	Required	Editable	Description	Constraint
Key	String	Yes	No	The key of the tag.	The tag key must be 1 to 128 characters in length and cannot contain `http://` or `https://`. It cannot start with `acs:` or `aliyun`.
Value	String	No	No	The value of the tag.	The tag value must be 0 to 128 characters in length and cannot contain `http://` or `https://`. It cannot start with `acs:` or `aliyun`.

SecurityGroupEgress syntax

"SecurityGroupEgress": [
  {
    "Description": String,
    "PortRange": String,
    "SecurityGroupId": String,
    "NicType": String,
    "Priority": Integer,
    "DestGroupId": String,
    "DestCidrIp": String,
    "Policy": String,
    "IpProtocol": String,
    "DestGroupOwnerId": String,
    "Ipv6DestCidrIp": String
  }
]

SecurityGroupEgress properties


Property	Type	Required	Editable	Description	Constraint
Description	String	No	Yes	The description of the security group rule.	The description must be 1 to 512 characters in length.
DestGroupOwnerId	String	No	No	The ID of the Alibaba Cloud account that owns the destination security group. This parameter is used to grant the current security group access to security groups in another Alibaba Cloud account.	If this parameter is not specified, the access permission is configured for another security group managed by your account. If the DestCidrIp parameter is specified, the DestGroupOwnerId parameter is ignored.
IpProtocol	String	Yes	No	The Internet protocol.	Valid values: tcp udp icmp gre all
PortRange	String	Yes	No	The range of port numbers corresponding to the Internet protocol.	The range of destination ports corresponding to the transport layer protocol. Valid values: When the IpProtocol parameter is set to tcp or udp, the port number range is 1 to 65535. Separate the starting port and ending port with a forward slash (/). Correct example: 1/200. Incorrect example: 200/1. When the IpProtocol parameter is set to icmp, the port number range is -1/-1. When the IpProtocol parameter is set to gre, the port number range is -1/-1. When the IpProtocol parameter is set to all, the port number range is -1/-1.
SecurityGroupId	String	No	No	The ID of the security group for which to create the outbound access rules.	None
NicType	String	No	No	The network type of the instance.	Default value: internet. Valid values: internet intranet
Priority	Integer	No	No	The priority of the authorization policy.	Valid values: 1 to 100. Default value: 1.
DestGroupId	String	No	No	The ID of the destination security group within the same region.	You must specify one of the DestGroupId and DestCidrIp parameters. If both of them are specified, the system authorizes the destination CIDR block specified by the DestCidrIp parameter. If the DestGroupId parameter is specified, but the DestCidrIp parameter is not, you must set the NicType parameter to intranet.
DestCidrIp	String	No	No	The destination CIDR block.	The value must be in the CIDR format. The default value is 0.0.0.0/0, which indicates that access from any IP addresses is allowed. Examples of other supported formats include 10.159.XX.XX/12. Note Only IPv4 addresses are supported.
Policy	String	No	No	The authorization policy.	Default value: accept. Valid values: accept: grants access. drop: denies access.
Ipv6DestCidrIp	String	No	No	The destination IPv6 CIDR block.	IPv6 addresses in the CIDR format are supported. You can only specify the IP addresses for ECS instances in VPCs.

SecurityGroupIngress syntax

"SecurityGroupIngress": [
  {
    "SourceGroupOwnerId": String,
    "Description": String,
    "PortRange": String,
    "SecurityGroupId": String,
    "NicType": String,
    "Ipv6SourceCidrIp": String,
    "Priority": Integer,
    "SourceGroupId": String,
    "Policy": String,
    "IpProtocol": String,
    "SourcePortRange": String,
    "SourceCidrIp": String
  }
]

SecurityGroupIngress properties


Property	Type	Required	Editable	Description	Constraint
SourceGroupOwnerId	String	No	No	The ID of the Alibaba Cloud account that owns the source security group.	None
Description	String	No	Yes	The description of the security group rule.	The description must be 1 to 512 characters in length.
IpProtocol	String	Yes	No	The Internet protocol.	Valid values: tcp udp icmp gre all
PortRange	String	Yes	No	The range of port numbers corresponding to the IP protocol.	The range of destination ports corresponding to the transport layer protocol. Valid values: When the IpProtocol parameter is set to tcp or udp, the port number range is 1 to 65535. Separate the starting port and ending port with a forward slash (/). Correct example: 1/200. Incorrect example: 200/1. When the IpProtocol parameter is set to icmp, the port number range is -1/-1. When the IpProtocol parameter is set to gre, the port number range is -1/-1. When the IpProtocol parameter is set to all, the port number range is -1/-1.
SourceGroupId	String	No	No	The ID of the source security group within the same region.	You must specify one of the SourceGroupId and SourceCidrIp parameters. If both parameters are specified, the system authorizes the source CIDR block specified by the SourceCidrIp parameter. If the SourceGroupId parameter is specified, but the SourceCidrIp parameter is not, you must set the NicType parameter to intranet.
SecurityGroupId	String	No	No	The ID of the security group for which to create the inbound access rules.	None
NicType	String	No	No	The network type of the instance.	Default value: internet. Valid values: internet intranet
Priority	Integer	No	No	The priority of the authorization policy.	Valid values: 1 to 100. Default value: 1.
SourceCidrIp	String	No	No	The destination CIDR block.	The value must be in the CIDR format. The default value is 0.0.0.0/0, which indicates that access from any IP addresses is allowed. Examples of other supported formats include 10.159.XX.XX/12. Note Only IPv4 addresses are supported.
Policy	String	No	No	The authorization policy.	Default value: accept. Valid values: accept: grants access. drop: denies access.
SourcePortRange	String	No	No	The range of source ports relevant to the transport layer protocol.	Valid values: When the IpProtocol parameter is set to tcp or udp, the port number range is 1 to 65535. Separate the starting port and ending port with a forward slash (/). Correct example: 1/200. Incorrect example: 200/1. When the IpProtocol parameter is set to icmp, the port number range is -1/-1. When the IpProtocol parameter is set to gre, the port number range is -1/-1. When the IpProtocol parameter is set to all, the port number range is -1/-1.
Ipv6SourceCidrIp	String	No	No	The source IPv6 CIDR block.	You can only specify the IP addresses for ECS instances in VPCs. IPv6 addresses in the CIDR format are supported.

Response parameters

Fn::GetAtt

SecurityGroupId: the ID of the security group.

Examples

JSON format

{
  "ROSTemplateFormatVersion": "2015-09-01",
  "Parameters": {
    "Description": {
      "Type": "String",
      "Description": "Description of the security group, [2, 256] characters. Do not fill or empty, the default is empty."
    },
    "VpcId": {
      "Type": "String",
      "Description": "Physical ID of the VPC."
    },
    "SecurityGroupName": {
      "Type": "String",
      "Description": "Display name of the security group, [2, 128] English or Chinese characters, must start with a letter or Chinese in size, can contain numbers, '_' or '.', '-'"
    },
    "ResourceGroupId": {
      "Type": "String",
      "Description": "Resource group id."
    },
    "SecurityGroupType": {
      "Type": "String",
      "Description": "The type of the security group. Valid values:\nnormal: basic security group\nenterprise: advanced security group",
      "AllowedValues": [
        "normal",
        "enterprise"
      ]
    },
    "SecurityGroupIngress": {
      "Type": "Json",
      "Description": "Ingress rules for the security group."
    },
    "Tags": {
      "Type": "Json",
      "Description": "Tags to attach to instance. Max support 20 tags to add during create instance. Each tag with two properties Key and Value, and Key is required.",
      "MaxLength": 20
    },
    "SecurityGroupEgress": {
      "Type": "Json",
      "Description": "egress rules for the security group."
    }
  },
  "Resources": {
    "SecurityGroup": {
      "Type": "ALIYUN::ECS::SecurityGroup",
      "Properties": {
        "Description": {
          "Ref": "Description"
        },
        "VpcId": {
          "Ref": "VpcId"
        },
        "SecurityGroupName": {
          "Ref": "SecurityGroupName"
        },
        "ResourceGroupId": {
          "Ref": "ResourceGroupId"
        },
        "SecurityGroupType": {
          "Ref": "SecurityGroupType"
        },
        "SecurityGroupIngress": {
          "Ref": "SecurityGroupIngress"
        },
        "Tags": {
          "Ref": "Tags"
        },
        "SecurityGroupEgress": {
          "Ref": "SecurityGroupEgress"
        }
      }
    }
  },
  "Outputs": {
    "SecurityGroupId": {
      "Description": "generated security group id for security group.",
      "Value": {
        "Fn::GetAtt": [
          "SecurityGroup",
          "SecurityGroupId"
        ]
      }
    }
  }
}

YAML format

ROSTemplateFormatVersion: '2015-09-01'
Parameters:
  Description:
    Type: String
    Description: >-
      Description of the security group, [2, 256] characters. Do not fill or
      empty, the default is empty.
  VpcId:
    Type: String
    Description: Physical ID of the VPC.
  SecurityGroupName:
    Type: String
    Description: >-
      Display name of the security group, [2, 128] English or Chinese
      characters, must start with a letter or Chinese in size, can contain
      numbers, '_' or '.', '-'
  ResourceGroupId:
    Type: String
    Description: Resource group id.
  SecurityGroupType:
    Type: String
    Description: |-
      The type of the security group. Valid values:
      normal: basic security group
      enterprise: advanced security group
    AllowedValues:
      - normal
      - enterprise
  SecurityGroupIngress:
    Type: Json
    Description: Ingress rules for the security group.
  Tags:
    Type: Json
    Description: >-
      Tags to attach to instance. Max support 20 tags to add during create
      instance. Each tag with two properties Key and Value, and Key is required.
    MaxLength: 20
  SecurityGroupEgress:
    Type: Json
    Description: egress rules for the security group.
Resources:
  SecurityGroup:
    Type: 'ALIYUN::ECS::SecurityGroup'
    Properties:
      Description:
        Ref: Description
      VpcId:
        Ref: VpcId
      SecurityGroupName:
        Ref: SecurityGroupName
      ResourceGroupId:
        Ref: ResourceGroupId
      SecurityGroupType:
        Ref: SecurityGroupType
      SecurityGroupIngress:
        Ref: SecurityGroupIngress
      Tags:
        Ref: Tags
      SecurityGroupEgress:
        Ref: SecurityGroupEgress
Outputs:
  SecurityGroupId:
    Description: generated security group id for security group.
    Value:
      'Fn::GetAtt':
        - SecurityGroup
        - SecurityGroupId