ALIYUN::ECS::SecurityGroup is used to create a security group.

Syntax

{
  "Type": "ALIYUN::ECS::SecurityGroup",
  "Properties": {
    "VpcId": String,
    "Description": String,
    "SecurityGroupName": String,
    "Tags": List,
    "SecurityGroupEgress": List,
    "SecurityGroupIngress": List,
    "ResourceGroupId": String,
    "SecurityGroupType": String
  }
}

Properties

Name Type Required Editable Description Validity
ResourceGroupId String No No The ID of the resource group to which created instances belong. None
VpcId String No No The ID of the VPC. None
Description String No No The description of the security group. The description must be 2 to 256 characters in length.
Tags List No No The tags of the security group. A maximum of 20 tags can be specified.
SecurityGroupName String No No The name of the security group. Default value: empty. The name must be 2 to 128 characters in length and can contain letters, digits, periods (.), underscores (_), and hyphens (-). It must start with a letter and cannot start with http:// or https://.
SecurityGroupEgress List No No The outbound access rules of the security group. None
SecurityGroupIngress List No No The inbound access rules of the security group. None
SecurityGroupType String No No The type of the security group. Valid values: normal and enterprise. A value of normal specifies a basic security group. A value of enterprise specifies an advanced security group.

Tags syntax

"Tags": [
  {
    "Value" : String,
    "Key" : String
  }
]

Tags properties

Name Type Required Editable Description Validity
Key String Yes No None None
Value String No No None None

SecurityGroupEgress syntax

"SecurityGroupEgress": [
  {
    "Description": String,
    "PortRange": String,
    "SecurityGroupId": String,
    "NicType": String,
    "Priority": Integer,
    "DestGroupId": String,
    "DestCidrIp": String,
    "Policy": String,
    "IpProtocol": String,
    "DestGroupOwnerAccount": String,
    "DestGroupOwnerId": String,
    "Ipv6DestCidrIp": String
  }
]

SecurityGroupEgress properties

Name Type Required Editable Description Validity
Description String No No The description of the security group rules. The description must be 1 to 512 characters in length.
DestGroupOwnerId String No No The ID of the Alibaba Cloud account that owns the destination security group. This parameter is used to grant the current security group access to security groups in another Alibaba Cloud account. If neither the DestGroupOwnerId parameter nor the DestGroupOwnerAccount parameter is specified, the current security group is granted access to other security groups in the same Alibaba Cloud account. If the DestCidrIp parameter is specified, the DestGroupOwnerId parameter is ignored.
IpProtocol String Yes No The Internet protocol. Valid values: tcp, udp, icmp, gre, and all. A value of all specifies that all the four protocols are supported.
PortRange String No No The range of port numbers corresponding to the Internet protocol. The range of destination ports corresponding to the transport layer protocol. Valid values:
  • When the IpProtocol parameter is set to tcp or udp, the port number range is 1 to 65535. Separate the start number and the end number with a forward slash (/). Correct example: 1/200. Incorrect example: 200/1.
  • When the IpProtocol parameter is set to icmp, the port number range is -1/-1.
  • When the IpProtocol parameter is set to gre, the port number range is -1/-1.
  • When the IpProtocol parameter is set to all, the port number range is -1/-1.
SecurityGroupId String No No The ID of the security group for which to create the outbound access rules. None
NicType String No No The network type of the instance. Valid values: internet and intranet. Default value: internet.
Priority Integer No No The priority of the authorization policy. Valid values: 1 to 100. Default value: 1.
DestGroupId String No No The ID of the destination security group within the same region. You must specify either the DestGroupId parameter or the DestCidrIp parameter. If both parameters are specified, the system authorizes the destination CIDR block specified by the DestCidrIp parameter. If the DestGroupId parameter is specified, but the DestCidrIp parameter is not, you must set the NicType parameter to intranet.
DestCidrIp String No No The destination CIDR block. The value must be in CIDR format. The default value is 0.0.0.0/0, indicating that access from any IP addresses is allowed. Examples of other supported formats include 10.159.6.18/12. Only IPv4 addresses are supported.
Policy String No No The authorization policy. Valid values: accept and drop. Default value: accept.
DestGroupOwnerAccount String No No The Alibaba Cloud account of the destination security group when you grant security group permissions across accounts. None
Ipv6DestCidrIp String No No The destination IPv6 CIDR block. IPv6 addresses in CIDR format are supported. You can only specify the IP addresses for ECS instances in VPCs.

SecurityGroupIngress syntax

"SecurityGroupIngress": [
  {
    "SourceGroupOwnerId": String,
    "Description": String,
    "PortRange": String,
    "SecurityGroupId": String,
    "NicType": String,
    "SourceGroupOwnerAccount": String,
    "Priority": Integer,
    "SourceGroupId": String,
    "Policy": String,
    "IpProtocol": String,
    "SourceCidrIp": String,
    "Ipv6SourceCidrIp": String
  }
]

SecurityGroupIngress properties

Name Type Required Editable Description Validity
SourceGroupOwnerId String No No The ID of the Alibaba Cloud account that owns the source security group. None
Description String No No The description of the security group rules. The description must be 1 to 512 characters in length.
IpProtocol String Yes No The Internet protocol. Valid values: tcp, udp, icmp, gre, and all. A value of all specifies that all the four protocols are supported.
PortRange String No No The range of port numbers corresponding to the Internet protocol. The range of destination ports corresponding to the transport layer protocol. Valid values:
  • When the IpProtocol parameter is set to tcp or udp, the port number range is 1 to 65535. Separate the start number and the end number with a forward slash (/). Correct example: 1/200. Incorrect example: 200/1.
  • When the IpProtocol parameter is set to icmp, the port number range is -1/-1.
  • When the IpProtocol parameter is set to gre, the port number range is -1/-1.
  • When the IpProtocol parameter is set to all, the port number range is -1/-1.
SourceGroupId String No No The ID of the source security group within the same region. You must specify either the SourceGroupId parameter or the SourceCidrIp parameter. If both parameters are specified, the system authorizes the source CIDR block specified by the SourceCidrIp parameter. If the SourceGroupId parameter is specified, but the SourceCidrIp parameter is not, you must set the NicType parameter to intranet.
SecurityGroupId String No No The ID of the security group for which to create the inbound access rules. None
NicType String No No The network type of the instance. Valid values: internet and intranet. Default value: internet.
SourceGroupOwnerAccount String No No The Alibaba Cloud account of the destination security group when you grant security group permissions across accounts. None
Priority Integer No No The priority of the authorization policy. Valid values: 1 to 100. Default value: 1.
SourceCidrIp String No No The source IPv4 CIDR block. The value must be in CIDR format. The default value is 0.0.0.0/0, indicating that access from any IP addresses is allowed. Examples of other supported formats include 10.159.6.18/12. Only IPv4 addresses are supported.
Policy String No No The authorization policy. Valid values: accept and drop. Default value: accept.
Ipv6SourceCidrIp String No No The source IPv6 CIDR block. IPv6 addresses in CIDR format are supported. You can only specify the IP addresses for ECS instances in VPCs.

Response parameters

Fn::GetAtt

SecurityGroupId: the ID of the security group.

Examples

{
  "ROSTemplateFormatVersion" : "2015-09-01",
  "Resources" : {
    "SG": {
      "Type": "ALIYUN::ECS::SecurityGroup",
      "Properties": {
        "SecurityGroupName": {
          "Ref": "SecurityGroupName"
        },
        "SecurityGroupIngress": [
          {
            "SourceCidrIp": "0.0.0.0/0",
            "IpProtocol": "all",
            "NicType": "internet",
            "PortRange": "-1/-1",
            "Priority": 1
          },
          {
            "SourceCidrIp": "0.0.0.0/0",
            "IpProtocol": "all",
            "NicType": "intranet",
            "PortRange": "-1/-1",
            "Priority": 1
          }
        ],
        "SecurityGroupEgress": [
          {
            "IpProtocol": "all",
            "DestCidrIp": "0.0.0.0/0",
            "NicType": "internet",
            "PortRange": "-1/-1",
            "Priority": 1
          },
          {
            "IpProtocol": "all",
            "DestCidrIp": "0.0.0.0/0",
            "NicType": "intranet",
            "PortRange": "-1/-1",
            "Priority": 1
          }
        ],
        "VpcId": {
          "Ref": "Vpc"
        }
      }
    }
  },
  "Outputs": {
    "SecurityGroupId": {
      "Value" : {"Fn::GetAtt": ["SG","SecurityGroupId"]}
    }
  }
}