ALIYUN::ECS::SecurityGroup - Resource Types| Alibaba Cloud Documentation Center

The ALIYUN::ECS::SecurityGroup type is used to create a security group.

Syntax

{
   "Type" : "ALIYUN::ECS::SecurityGroup",
   "Properties" : {
      "SecurityGroupName" : String,
      "Description" : String,
      "VpcId": String,
      "SecurityGroupEgress": String,
      "SecurityGroupIngress": String
   }
}

Properties

Name	Type	Required	Update allowed	Description	Constraint
VpcId	string	No	No	VPC ID.	N/A
Description	string	No	No	Security group description.	The description is a string of 2 to 256 characters. It cannot start with http:// or https://.
Tags	list	No	No	Custom tag.	Up to four tags are supported, in the format of [{“Key”:”tagKey”,”Value”:”tagValue”},{“Key”:”tagKey2”,”Value”:”tagValue2”}].
SecurityGroupName	string	No	No	Name of the security group.	If this parameter is not specified, it is null. The default value is null. The parameter value is a string of 2 to 128 English letters. It must start with an English letter and can contain English letters, periods(.), underscores(), and hyphens(-). It cannot start with http:// or https://. The disk name is displayed on the console.
SecurityGroupEgress	list	No	No	Egress access rule of the security group.	N/A
SecurityGroupIngress	list	No	No	Ingress access rule of the security group.	N/A

Tags syntax

"Tags" : [
     {
        "Value" : String,
        "Key" : String
    }
]

Tags properties

Name	Type	Required	Update allowed	Description	Constraint
Key	string	Yes	No	N/A	N/A
Value	string	No	No	N/A	N/A

SecurityGroupIngress syntax

"SecurityGroupEgress" : [
  {
    "PortRange" : String,
    "SecurityGroupId" : String,
    "NicType" : String,
    "Priority" : Integer,
    "DestGroupId" : String,
    "DestCidrIp" : String,
    "Policy" : String,
    "IpProtocol" : String,
    "DestGroupOwnerAccount" : String
  }
]

SecurityGroupEgress properties

Name	Type	Required	Update allowed	Description	Constraint
IpProtocol	string	Yes	No	IP protocol.	Value options: tcp, udp, icmp, gre, and all.The value “all” indicates that it supports all the four protocols.
PortRange	string	No	No	Range of the port numbers of a specific IP protocol.	When IpProtocol is set to “tcp” or “udp”, the default port numbers are used, and the port number range is [1, 65535]. For example, “1/200” indicates the port number range [1, 200]. If the value “200/1” is input, an error is returned when the interface is called. When IpProtocol is set to “icmp”, the port number range is -1/-1. When IpProtocol is set to “gre”, the port number range is -1/-1. When IpProtocol is set to “all”, the port number range is -1/-1.
SecurityGroupId	string	No	No	ID of the security group for which an egress access rule is to be created.	N/A
NicType	string	No	No	Network type.	Value options: Internet and intranet. default value: Internet.
Priority	integer	No	No	Authorization policy priority.	Value range: [1, 100]. default value: 1.
DestGroupId	string	No	No	ID of the target security group in the same region.	Either DestGroupId or DestCidrIp must be set. If both are set, DestCidrIp is authorized by default. If this parameter is specified but DestCidrIp is unspecified, NicType can only be set to intranet.
DestCidrIp	string	No	No	Target IP address range.	The IP address range must be specified in CIDR format. The default value is 0.0.0.0/0 (indicating that no restriction is applied). Other supported formats include 10.159.6.18/12. Only IPv4 is supported.
Policy	string	No	No	Authorization policy.	Value options: accept (access request accepted) and drop (access request denied). default value: accept.
DestGroupOwnerAccount	string	No	No	The Alibaba Cloud account to which the target security group belongs. This parameter is applicable in cross-user security group authorization.	N/A

SecurityGroupIngress syntax

"SecurityGroupIngress" : [
  {
    "SourceGroupId" : String,
    "PortRange" : String,
    "SecurityGroupId" : String,
    "NicType" : String,
    "SourceGroupOwnerAccount" : String,
    "Priority" : Integer,
    "SourceCidrIp" : String,
    "Policy" : String,
    "IpProtocol" : String
  }
]

SecurityGroupIngress properties

Name	Type	Required	Update allowed	Description	Constraint
IpProtocol	string	Yes	No	IP protocol.	Value options: tcp, udp, icmp, gre. and all.The value “all” indicates the support of all the four protocols.
PortRange	string	No	No	Range of the port numbers of a specific IP protocol.	When IpProtocol is set to “tcp” or “udp”, the default port numbers are used, and the port number range is [1, 65535]. For example, “1/200” indicates the port number range [1, 200]. If the value “200/1” is input, an error is returned when the interface is called. When IpProtocol is set to “icmp”, the port number range is -1/-1. When IpProtocol is set to “gre”, the port number range is -1/-1. When IpProtocol is set to “all”, the port number range is -1/-1.
SourceGroupId	string	No	No	ID of the source security group in the same region.	ID of the source security group. Either SourceGroupId or SourceCidrIp must be set. If both are set, SourceCidrIp is authorized by default. If this parameter is specified but SourceCidrIp is unspecified, NicType can only be set to intranet.
SecurityGroupId	string	No	No	ID of the security group for which an ingress access rule is to be created.	N/A
NicType	string	No	No	Network type.	Value options: Internet and intranet. default value: Internet.
SourceGroupOwnerAccount	string	No	No	The Alibaba Cloud account to which the target security group belongs. This parameter is applicable in cross-user security group authorization.	N/A
Priority	integer	No	No	Authorization policy priority.	Value range: [1, 100]. default value: 1.
SourceCidrIp	string	No	No	Target IP address range.	The IP address range must be specified in CIDR format. The default value is 0.0.0.0/0 (indicating that no restriction is applied). Other supported formats include 10.159.6.18/12. Only IPv4 is supported.
Policy	string	No	No	Authorization policy.	Value options: accept (access request accepted) and drop (access request denied) Default value: accept.

Return values

Fn::GetAtt

SecurityGroupId: ID of the security group.

Example

{
  "ROSTemplateFormatVersion" : "2015-09-01",
  "Resources" : {
    "SG": {
      "Type": "ALIYUN::ECS::SecurityGroup",
      "Properties": {
        "SecurityGroupName": {
          "Ref": "SecurityGroupName"
        },
        "SecurityGroupIngress": [
          {
            "SourceCidrIp": "0.0.0.0/0",
            "IpProtocol": "all",
            "NicType": "internet",
            "PortRange": "-1/-1",
            "Priority": 1
          },
          {
            "SourceCidrIp": "0.0.0.0/0",
            "IpProtocol": "all",
            "NicType": "intranet",
            "PortRange": "-1/-1",
            "Priority": 1
          }
        ],
        "SecurityGroupEgress": [
          {
            "IpProtocol": "all",
            "DestCidrIp": "0.0.0.0/0",
            "NicType": "internet",
            "PortRange": "-1/-1",
            "Priority": 1
          },
          {
            "IpProtocol": "all",
            "DestCidrIp": "0.0.0.0/0",
            "NicType": "intranet",
            "PortRange": "-1/-1",
            "Priority": 1
          }
        ],
        "VpcId": {
          "Ref": "Vpc"
        }
      }
    }
  },
  "Outputs": {
    "SecurityGroupId": {
      "Value" : {"Fn::GetAtt": ["SG","SecurityGroupId"]}
    }
  }
}