ALIYUN::ECS::SecurityGroup - Resource Types| Alibaba Cloud Documentation Center

Syntax

{
  "Type": "ALIYUN::ECS::SecurityGroup",
  "Properties": {
    "VpcId": String,
    "Description": String,
    "SecurityGroupName": String,
    "Tags": List,
    "SecurityGroupEgress": List,
    "SecurityGroupIngress": List,
    "ResourceGroupId": String,
    "SecurityGroupType": String
  }
}

Properties


Name	Type	Required	Editable	Description	Validity
ResourceGroupId	String	No	No	The ID of the resource group to which created instances belong.	None
VpcId	String	No	No	The ID of the VPC.	None
Description	String	No	No	The description of the security group.	The description must be 2 to 256 characters in length.
Tags	List	No	No	The tags of the security group.	A maximum of 20 tags can be specified.
SecurityGroupName	String	No	No	The name of the security group.	Default value: empty. The name must be 2 to 128 characters in length and can contain letters, digits, periods (.), underscores (_), and hyphens (-). It must start with a letter and cannot start with http:// or https://.
SecurityGroupEgress	List	No	No	The outbound access rules of the security group.	None
SecurityGroupIngress	List	No	No	The inbound access rules of the security group.	None
SecurityGroupType	String	No	No	The type of the security group.	Valid values: normal and enterprise. A value of normal specifies a basic security group. A value of enterprise specifies an advanced security group.

Tags syntax

"Tags": [
  {
    "Value" : String,
    "Key" : String
  }
]

Tags properties


Name	Type	Required	Editable	Description	Validity
Key	String	Yes	No	None	None
Value	String	No	No	None	None

SecurityGroupEgress syntax

"SecurityGroupEgress": [
  {
    "Description": String,
    "PortRange": String,
    "SecurityGroupId": String,
    "NicType": String,
    "Priority": Integer,
    "DestGroupId": String,
    "DestCidrIp": String,
    "Policy": String,
    "IpProtocol": String,
    "DestGroupOwnerAccount": String,
    "DestGroupOwnerId": String,
    "Ipv6DestCidrIp": String
  }
]

SecurityGroupEgress properties


Name	Type	Required	Editable	Description	Validity
Description	String	No	No	The description of the security group rules.	The description must be 1 to 512 characters in length.
DestGroupOwnerId	String	No	No	The ID of the Alibaba Cloud account that owns the destination security group. This parameter is used to grant the current security group access to security groups in another Alibaba Cloud account.	If neither the DestGroupOwnerId parameter nor the DestGroupOwnerAccount parameter is specified, the current security group is granted access to other security groups in the same Alibaba Cloud account. If the DestCidrIp parameter is specified, the DestGroupOwnerId parameter is ignored.
IpProtocol	String	Yes	No	The Internet protocol.	Valid values: tcp, udp, icmp, gre, and all. A value of all specifies that all the four protocols are supported.
PortRange	String	No	No	The range of port numbers corresponding to the Internet protocol.	The range of destination ports corresponding to the transport layer protocol. Valid values: When the IpProtocol parameter is set to tcp or udp, the port number range is 1 to 65535. Separate the start number and the end number with a forward slash (/). Correct example: 1/200. Incorrect example: 200/1. When the IpProtocol parameter is set to icmp, the port number range is -1/-1. When the IpProtocol parameter is set to gre, the port number range is -1/-1. When the IpProtocol parameter is set to all, the port number range is -1/-1.
SecurityGroupId	String	No	No	The ID of the security group for which to create the outbound access rules.	None
NicType	String	No	No	The network type of the instance.	Valid values: internet and intranet. Default value: internet.
Priority	Integer	No	No	The priority of the authorization policy.	Valid values: 1 to 100. Default value: 1.
DestGroupId	String	No	No	The ID of the destination security group within the same region.	You must specify either the DestGroupId parameter or the DestCidrIp parameter. If both parameters are specified, the system authorizes the destination CIDR block specified by the DestCidrIp parameter. If the DestGroupId parameter is specified, but the DestCidrIp parameter is not, you must set the NicType parameter to intranet.
DestCidrIp	String	No	No	The destination CIDR block.	The value must be in CIDR format. The default value is 0.0.0.0/0, indicating that access from any IP addresses is allowed. Examples of other supported formats include 10.159.6.18/12. Only IPv4 addresses are supported.
Policy	String	No	No	The authorization policy.	Valid values: accept and drop. Default value: accept.
DestGroupOwnerAccount	String	No	No	The Alibaba Cloud account of the destination security group when you grant security group permissions across accounts.	None
Ipv6DestCidrIp	String	No	No	The destination IPv6 CIDR block.	IPv6 addresses in CIDR format are supported. You can only specify the IP addresses for ECS instances in VPCs.

SecurityGroupIngress syntax

"SecurityGroupIngress": [
  {
    "SourceGroupOwnerId": String,
    "Description": String,
    "PortRange": String,
    "SecurityGroupId": String,
    "NicType": String,
    "SourceGroupOwnerAccount": String,
    "Priority": Integer,
    "SourceGroupId": String,
    "Policy": String,
    "IpProtocol": String,
    "SourceCidrIp": String,
    "Ipv6SourceCidrIp": String
  }
]

SecurityGroupIngress properties


Name	Type	Required	Editable	Description	Validity
SourceGroupOwnerId	String	No	No	The ID of the Alibaba Cloud account that owns the source security group.	None
Description	String	No	No	The description of the security group rules.	The description must be 1 to 512 characters in length.
IpProtocol	String	Yes	No	The Internet protocol.	Valid values: tcp, udp, icmp, gre, and all. A value of all specifies that all the four protocols are supported.
PortRange	String	No	No	The range of port numbers corresponding to the Internet protocol.	The range of destination ports corresponding to the transport layer protocol. Valid values: When the IpProtocol parameter is set to tcp or udp, the port number range is 1 to 65535. Separate the start number and the end number with a forward slash (/). Correct example: 1/200. Incorrect example: 200/1. When the IpProtocol parameter is set to icmp, the port number range is -1/-1. When the IpProtocol parameter is set to gre, the port number range is -1/-1. When the IpProtocol parameter is set to all, the port number range is -1/-1.
SourceGroupId	String	No	No	The ID of the source security group within the same region.	You must specify either the SourceGroupId parameter or the SourceCidrIp parameter. If both parameters are specified, the system authorizes the source CIDR block specified by the SourceCidrIp parameter. If the SourceGroupId parameter is specified, but the SourceCidrIp parameter is not, you must set the NicType parameter to intranet.
SecurityGroupId	String	No	No	The ID of the security group for which to create the inbound access rules.	None
NicType	String	No	No	The network type of the instance.	Valid values: internet and intranet. Default value: internet.
SourceGroupOwnerAccount	String	No	No	The Alibaba Cloud account of the destination security group when you grant security group permissions across accounts.	None
Priority	Integer	No	No	The priority of the authorization policy.	Valid values: 1 to 100. Default value: 1.
SourceCidrIp	String	No	No	The source IPv4 CIDR block.	The value must be in CIDR format. The default value is 0.0.0.0/0, indicating that access from any IP addresses is allowed. Examples of other supported formats include 10.159.6.18/12. Only IPv4 addresses are supported.
Policy	String	No	No	The authorization policy.	Valid values: accept and drop. Default value: accept.
Ipv6SourceCidrIp	String	No	No	The source IPv6 CIDR block. IPv6 addresses in CIDR format are supported.	You can only specify the IP addresses for ECS instances in VPCs.

Response parameters

Fn::GetAtt

SecurityGroupId: the ID of the security group.

Examples

{
  "ROSTemplateFormatVersion" : "2015-09-01",
  "Resources" : {
    "SG": {
      "Type": "ALIYUN::ECS::SecurityGroup",
      "Properties": {
        "SecurityGroupName": {
          "Ref": "SecurityGroupName"
        },
        "SecurityGroupIngress": [
          {
            "SourceCidrIp": "0.0.0.0/0",
            "IpProtocol": "all",
            "NicType": "internet",
            "PortRange": "-1/-1",
            "Priority": 1
          },
          {
            "SourceCidrIp": "0.0.0.0/0",
            "IpProtocol": "all",
            "NicType": "intranet",
            "PortRange": "-1/-1",
            "Priority": 1
          }
        ],
        "SecurityGroupEgress": [
          {
            "IpProtocol": "all",
            "DestCidrIp": "0.0.0.0/0",
            "NicType": "internet",
            "PortRange": "-1/-1",
            "Priority": 1
          },
          {
            "IpProtocol": "all",
            "DestCidrIp": "0.0.0.0/0",
            "NicType": "intranet",
            "PortRange": "-1/-1",
            "Priority": 1
          }
        ],
        "VpcId": {
          "Ref": "Vpc"
        }
      }
    }
  },
  "Outputs": {
    "SecurityGroupId": {
      "Value" : {"Fn::GetAtt": ["SG","SecurityGroupId"]}
    }
  }
}