Document Center
edit-icon download-icon

ALIYUN::ECS::SecurityGroup

Last Updated: Jun 13, 2018

The ALIYUN::ECS::SecurityGroup type is used to create a security group.

Syntax

  1. {
  2.    "Type" : "ALIYUN::ECS::SecurityGroup",
  3.    "Properties" : {
  4.       "SecurityGroupName" : String,
  5.       "Description" : String,
  6.       "VpcId": String,
  7.       "SecurityGroupEgress": String,
  8.       "SecurityGroupIngress": String
  9.    }
  10. }

Properties

Name Type Required Update allowed Description Constraint
VpcId string No No VPC ID. N/A
Description string No No Security group description. The description is a string of 2 to 256 characters. It cannot start with http:// or https://.
TagslistNoNoCustom tag.Up to four tags are supported, in the format of [{“Key”:”tagKey”,”Value”:”tagValue”},{“Key”:”tagKey2”,”Value”:”tagValue2”}].
SecurityGroupName string No No Name of the security group. If this parameter is not specified, it is null. The default value is null. The parameter value is a string of 2 to 128 English letters. It must start with an English letter and can contain English letters, periods(.), underscores(), and hyphens(-). It cannot start with http:// or https://. The disk name is displayed on the console.
SecurityGroupEgress list No No Egress access rule of the security group. N/A
SecurityGroupIngress list No No Ingress access rule of the security group. N/A

Tags syntax

  1. "Tags" : [
  2.      {
  3.         "Value" : String,
  4.         "Key" : String
  5.     }
  6. ]

Tags properties

Name Type Required Update allowed Description Constraint
Key string Yes No N/A N/A
Value string No No N/A N/A

SecurityGroupIngress syntax

  1. "SecurityGroupEgress" : [
  2.   {
  3.     "PortRange" : String,
  4.     "SecurityGroupId" : String,
  5.     "NicType" : String,
  6.     "Priority" : Integer,
  7.     "DestGroupId" : String,
  8.     "DestCidrIp" : String,
  9.     "Policy" : String,
  10.     "IpProtocol" : String,
  11.     "DestGroupOwnerAccount" : String
  12.   }
  13. ]

SecurityGroupEgress properties

Name Type Required Update allowed Description Constraint
IpProtocol string Yes No IP protocol. Value options: tcp, udp, icmp, gre, and all.The value “all” indicates that it supports all the four protocols.
PortRange string No No Range of the port numbers of a specific IP protocol. When IpProtocol is set to “tcp” or “udp”, the default port numbers are used, and the port number range is [1, 65535]. For example, “1/200” indicates the port number range [1, 200]. If the value “200/1” is input, an error is returned when the interface is called.
When IpProtocol is set to “icmp”, the port number range is -1/-1.
When IpProtocol is set to “gre”, the port number range is -1/-1.
When IpProtocol is set to “all”, the port number range is -1/-1.
SecurityGroupId string No No ID of the security group for which an egress access rule is to be created. N/A
NicType string No No Network type. Value options: Internet and intranet. default value: Internet.
Priority integer No No Authorization policy priority. Value range: [1, 100]. default value: 1.
DestGroupId string No No ID of the target security group in the same region. Either DestGroupId or DestCidrIp must be set. If both are set, DestCidrIp is authorized by default. If this parameter is specified but DestCidrIp is unspecified, NicType can only be set to intranet.
DestCidrIp string No No Target IP address range. The IP address range must be specified in CIDR format. The default value is 0.0.0.0/0 (indicating that no restriction is applied). Other supported formats include 10.159.6.18/12. Only IPv4 is supported.
Policy string No No Authorization policy. Value options: accept (access request accepted) and drop (access request denied). default value: accept.
DestGroupOwnerAccount string No No The Alibaba Cloud account to which the target security group belongs. This parameter is applicable in cross-user security group authorization. N/A

SecurityGroupIngress syntax

  1. "SecurityGroupIngress" : [
  2.   {
  3.     "SourceGroupId" : String,
  4.     "PortRange" : String,
  5.     "SecurityGroupId" : String,
  6.     "NicType" : String,
  7.     "SourceGroupOwnerAccount" : String,
  8.     "Priority" : Integer,
  9.     "SourceCidrIp" : String,
  10.     "Policy" : String,
  11.     "IpProtocol" : String
  12.   }
  13. ]

SecurityGroupIngress properties

Name Type Required Update allowed Description Constraint
IpProtocol string Yes No IP protocol. Value options: tcp, udp, icmp, gre. and all.The value “all” indicates the support of all the four protocols.
PortRange string No No Range of the port numbers of a specific IP protocol. When IpProtocol is set to “tcp” or “udp”, the default port numbers are used, and the port number range is [1, 65535]. For example, “1/200” indicates the port number range [1, 200]. If the value “200/1” is input, an error is returned when the interface is called.
When IpProtocol is set to “icmp”, the port number range is -1/-1.
When IpProtocol is set to “gre”, the port number range is -1/-1.
When IpProtocol is set to “all”, the port number range is -1/-1.
SourceGroupId string No No ID of the source security group in the same region. ID of the source security group. Either SourceGroupId or SourceCidrIp must be set. If both are set, SourceCidrIp is authorized by default. If this parameter is specified but SourceCidrIp is unspecified, NicType can only be set to intranet.
SecurityGroupId string No No ID of the security group for which an ingress access rule is to be created. N/A
NicType string No No Network type. Value options: Internet and intranet. default value: Internet.
SourceGroupOwnerAccount string No No The Alibaba Cloud account to which the target security group belongs. This parameter is applicable in cross-user security group authorization. N/A
Priority integer No No Authorization policy priority. Value range: [1, 100]. default value: 1.
SourceCidrIp string No No Target IP address range. The IP address range must be specified in CIDR format. The default value is 0.0.0.0/0 (indicating that no restriction is applied). Other supported formats include 10.159.6.18/12. Only IPv4 is supported.
Policy string No No Authorization policy. Value options: accept (access request accepted) and drop (access request denied)
Default value: accept.

Return values

Fn::GetAtt

SecurityGroupId: ID of the security group.

Example

  1. {
  2.   "ROSTemplateFormatVersion" : "2015-09-01",
  3.   "Resources" : {
  4.     "SG": {
  5.       "Type": "ALIYUN::ECS::SecurityGroup",
  6.       "Properties": {
  7.         "SecurityGroupName": {
  8.           "Ref": "SecurityGroupName"
  9.         },
  10.         "SecurityGroupIngress": [
  11.           {
  12.             "SourceCidrIp": "0.0.0.0/0",
  13.             "IpProtocol": "all",
  14.             "NicType": "internet",
  15.             "PortRange": "-1/-1",
  16.             "Priority": 1
  17.           },
  18.           {
  19.             "SourceCidrIp": "0.0.0.0/0",
  20.             "IpProtocol": "all",
  21.             "NicType": "intranet",
  22.             "PortRange": "-1/-1",
  23.             "Priority": 1
  24.           }
  25.         ],
  26.         "SecurityGroupEgress": [
  27.           {
  28.             "IpProtocol": "all",
  29.             "DestCidrIp": "0.0.0.0/0",
  30.             "NicType": "internet",
  31.             "PortRange": "-1/-1",
  32.             "Priority": 1
  33.           },
  34.           {
  35.             "IpProtocol": "all",
  36.             "DestCidrIp": "0.0.0.0/0",
  37.             "NicType": "intranet",
  38.             "PortRange": "-1/-1",
  39.             "Priority": 1
  40.           }
  41.         ],
  42.         "VpcId": {
  43.           "Ref": "Vpc"
  44.         }
  45.       }
  46.     }
  47.   },
  48.   "Outputs": {
  49.     "SecurityGroupId": {
  50.       "Value" : {"Fn::GetAtt": ["SG","SecurityGroupId"]}
  51.     }
  52.   }
  53. }
Thank you! We've received your feedback.
Free Trial Free Trial