ALIYUN::ECS::SecurityGroup is used to create a security group.
Syntax
{
"Type": "ALIYUN::ECS::SecurityGroup",
"Properties": {
"VpcId": String,
"Description": String,
"SecurityGroupName": String,
"Tags": List,
"SecurityGroupEgress": List,
"SecurityGroupIngress": List,
"ResourceGroupId": String,
"SecurityGroupType": String
}
}
Properties
Property | Type | Required | Editable | Description | Constraint |
ResourceGroupId | String | No | Yes | The ID of the resource group to which the security group belongs. | None. |
VpcId | String | No | No | The ID of the virtual private cloud (VPC). | None. |
Description | String | No | No | The description of the security group. | The description must be 2 to 256 characters in length. |
Tags | List | No | Yes | The tags of the security group. | You can add up to 20 tags. For more information, see Tags properties. |
SecurityGroupName | String | No | No | The name of the security group. | By default, this property is empty.
|
SecurityGroupEgress | List | No | Yes | The outbound rule of the security group. | For more information, see SecurityGroupEgress properties. |
SecurityGroupIngress | List | No | Yes | The inbound rule of the security group. | For more information, see SecurityGroupIngress properties. |
SecurityGroupType | String | No | No | The type of the security group. | Valid values:
|
Tags syntax
"Tags": [
{
"Value" : String,
"Key" : String
}
]
Tags properties
Property | Type | Required | Editable | Description | Constraint |
Key | String | Yes | No | The key of the tag. | The tag key must be 1 to 128 characters in length, and cannot contain |
Value | String | No | No | The value of the tag. | The tag value can be up to 128 characters in length, and cannot contain |
SecurityGroupEgress syntax
"SecurityGroupEgress": [
{
"Description": String,
"PortRange": String,
"SecurityGroupId": String,
"NicType": String,
"Priority": Integer,
"DestGroupId": String,
"DestCidrIp": String,
"Policy": String,
"IpProtocol": String,
"DestGroupOwnerId": String,
"Ipv6DestCidrIp": String,
"DestPrefixListId": String
}
]
SecurityGroupEgress properties
Property | Type | Required | Editable | Description | Constraint |
Description | String | No | Yes | The description of the outbound rule. | The description must be 1 to 512 characters in length. |
DestGroupOwnerId | String | No | No | The ID of the Alibaba Cloud account to which the destination security group belongs when you configure a security group rule across accounts. | If you do not specify DestGroupOwnerId, the access permissions are configured for another security group that belongs to your Alibaba Cloud account. If you specify DestCidrIp, DestGroupOwnerId is ignored. |
IpProtocol | String | Yes | No | The transport layer protocol. | Valid values:
|
PortRange | String | Yes | No | The range of port numbers that correspond to the transport layer protocol for the destination security group. |
|
SecurityGroupId | String | No | No | The ID of the security group for which you want to create the outbound rule. | None. |
NicType | String | No | No | The type of the network interface controller (NIC). | Valid values:
|
DestPrefixListId | String | No | No | The ID of the destination prefix list for outbound access control. | You can call the DescribePrefixLists operation of Elastic Compute Service (ECS) to query the IDs of available prefix lists. If a security group is in the classic network, you cannot reference prefix lists in the security group rules. If you specify one of DestCidrIp, Ipv6DestCidrIp, and DestGroupId, DestPrefixListId is ignored. |
Priority | Integer | No | No | The priority of the authorization policy. | Valid values: 1 to 100. Default value: 1. |
DestGroupId | String | No | No | The ID of the destination security group in the same region as the security group that you create. | You must specify one of DestGroupId and DestCidrIp.
|
DestCidrIp | String | No | No | The destination IPv4 CIDR block. | The value must be in the CIDR format. Default value: 0.0.0.0/0. This value specifies that all IP addresses are available. Example: 10.159.XX.XX/12. You can specify up to 10 IP addresses or CIDR blocks. Separate multiple IP addresses or CIDR blocks with commas (,). Note Only IPv4 addresses are supported. |
Policy | String | No | No | The rule action that determines whether to allow outbound access. | Valid values:
|
Ipv6DestCidrIp | String | No | No | The destination IPv6 CIDR block. | The value must be in the CIDR format. You can specify only IP addresses of the VPC type. |
SecurityGroupIngress syntax
"SecurityGroupIngress": [
{
"SourceGroupOwnerId": String,
"Description": String,
"PortRange": String,
"SecurityGroupId": String,
"NicType": String,
"Ipv6SourceCidrIp": String,
"Priority": Integer,
"SourceGroupId": String,
"Policy": String,
"IpProtocol": String,
"SourcePortRange": String,
"SourceCidrIp": String,
"SourcePrefixListId": String
}
]
SecurityGroupIngress properties
Property | Type | Required | Editable | Description | Constraint |
SourceGroupOwnerId | String | No | No | The ID of the Alibaba Cloud account to which the source security group belongs. | None. |
Description | String | No | Yes | The description of the inbound rule. | The description must be 1 to 512 characters in length. |
SourcePrefixListId | String | No | No | The ID of the source prefix list for inbound access control. | You can call the DescribePrefixLists operation of ECS to query the IDs of available prefix lists. If a security group is in the classic network, you cannot reference prefix lists in the security group rules. If you specify one of SourceCidrIp, Ipv6DestCidrIp, and DestGroupId, SourcePrefixListId is ignored. |
IpProtocol | String | Yes | No | The transport layer protocol. | Valid values:
|
PortRange | String | Yes | No | The range of port numbers that correspond to the transport layer protocol for the destination security group. |
|
SourceGroupId | String | No | No | The ID of the source security group in the same region as the security group that you create. | You must specify one of SourceGroupId and SourceCidrIp. If you specify both SourceGroupId and SourceCidrIp, SourceCidrIp takes precedence. If you specify only SourceGroupId, you must set NicType to intranet. |
SecurityGroupId | String | No | No | The ID of the security group for which you want to create the inbound rule. | None. |
NicType | String | No | No | The type of the NIC. | Valid values:
|
Priority | Integer | No | No | The priority of the authorization policy. | Valid values: 1 to 100. Default value: 1. |
SourceCidrIp | String | No | No | The source IPv4 CIDR block. | The value must be in the CIDR format. Default value: 0.0.0.0/0. This value specifies that all IP addresses are available. Example: 10.159.XX.XX/12. You can specify up to 10 IP addresses or CIDR blocks. Separate multiple IP addresses or CIDR blocks with commas (,). Note Only IPv4 CIDR blocks are supported. |
Policy | String | No | No | The rule action that determines whether to allow inbound access. | Valid values:
|
SourcePortRange | String | No | No | The range of port numbers that correspond to the transport layer protocol for the source security group. |
|
Ipv6SourceCidrIp | String | No | No | The source IPv6 CIDR block. | You can specify only IP addresses of the VPC type. The value must be in the CIDR format. |
Return values
Fn::GetAtt
SecurityGroupId: the ID of the security group.
SecurityGroupName: the name of the security group.
Description
For more examples, visit JoinSecurityGroup.json and JoinSecurityGroup.yml. In the examples, the ALIYUN::ECS::SecurityGroup and ALIYUN::ECS::JoinSecurityGroup resource types are used.