ALIYUN::ECS::SecurityGroup is used to create a security group.
Syntax
{
"Type": "ALIYUN::ECS::SecurityGroup",
"Properties": {
"VpcId": String,
"Description": String,
"SecurityGroupName": String,
"Tags": List,
"SecurityGroupEgress": List,
"SecurityGroupIngress": List,
"ResourceGroupId": String
}
}Properties
| Name | Type | Required | Editable | Description | Validity |
|---|---|---|---|---|---|
| ResourceGroupId | String | No | No | The ID of the resource group to which created instances belong. | None |
| VpcId | String | No | No | The ID of the VPC. | None |
| Description | String | No | No | The description of the security group. | The description must be 2 to 256 characters in length and cannot start with http:// or https://. |
| Tags | List | No | No | The tags of the security group. | A maximum of 20 tags can be specified in the [{"Key":"tagKey","Value":"tagValue"},{"Key":"tagKey2","Value":"tagValue2"}] format. |
| SecurityGroupName | String | No | No | The name of the security group. | If not specified, this parameter is null. Default value: null. The name must be 2 to 128 characters in length and can contain letters, digits, periods (.), underscores (_), and hyphens (-). The security group name will be displayed in the ECS console. It must start with a letter but cannot start with http:// or https://. |
| SecurityGroupEgress | List | No | No | The outbound access rules of the security group. | None |
| SecurityGroupIngress | List | No | No | The inbound access rules of the security group. | None |
Tags syntax
"Tags": [
{
"Value" : String,
"Key" : String
}
]Tags properties
| Name | Type | Required | Editable | Description | Validity |
|---|---|---|---|---|---|
| Key | String | Yes | No | None | None |
| Value | String | No | No | None | None |
SecurityGroupEgress syntax
"SecurityGroupEgress": [
{
"Description": String,
"PortRange": String,
"SecurityGroupId": String,
"NicType": String,
"Priority": Integer,
"DestGroupId": String,
"DestCidrIp": String,
"Policy": String,
"IpProtocol": String,
"DestGroupOwnerAccount": String,
"DestGroupOwnerId": String
}
]SecurityGroupEgress properties
| Name | Type | Required | Editable | Description | Validity |
|---|---|---|---|---|---|
| Description | String | No | No | The description of the security group rules. The description must be 1 to 512 characters in length. | None |
| DestGroupOwnerId | String | No | No | The ID of the Alibaba Cloud account that owns the destination security group. This parameter is used to grant access for the current security group to send traffic to other Alibaba Cloud accounts. If neither the DestGroupOwnerAccount parameter nor the DestGroupOwnerId parameter is specified, the access permissions are granted to other security groups. If the DestCidrIp parameter is specified, the DestGroupOwnerId parameter will be ignored. | None |
| IpProtocol | String | Yes | No | The Internet protocol. | Valid values: tcp, udp, icmp, gre, and all. The value all specifies to support all four protocols. |
| PortRange | String | No | No | The range of port numbers corresponding to the Internet protocol. |
When the IpProtocol parameter is set to tcp or udp, the default port numbers are used, and the port number range is 1 to 65535. For example, 1/200 indicates a port number range of 1 to 200. If you set this parameter to 200/1, an error will be reported when the API is called. When the IpProtocol parameter is set to icmp, the port number range is -1/-1, indicating that all values are valid. When the IpProtocol parameter is set to gre, the port number range is -1/-1, indicating that all values are valid. When the IpProtocol parameter is set to all, the port number range is -1/-1, indicating that all values are valid. |
| SecurityGroupId | String | No | No | The ID of the security group for which to create the outbound access rules. | None |
| NicType | String | No | No | The network type. |
Valid values: internet and intranet. Default value: internet. |
| Priority | Integer | No | No | The priority of the authorization policy. | Valid values: 1 to 100. Default value: 1. |
| DestGroupId | String | No | No | The ID of the destination security group in the same region. | Either the DestGroupId parameter or the DestCidrIp parameter must be set. If both parameters are set, the system will authorize the destination CIDR block specified by the DestCidrIp parameter. If the DestGroupId parameter is specified, but the DestCidrIp parameter is not, you must set the NicType parameter to intranet. |
| DestCidrIp | String | No | No | The destination CIDR block. | The CIDR block must be specified in CIDR notation. The default value is 0.0.0.0/0, indicating that access from any IP addresses is allowed. Examples of other supported formats include 10.159.6.18/12. Only IPv4 addresses are supported. |
| Policy | String | No | No | The authorization policy. | Valid values: accept and drop. Default value: accept. |
| DestGroupOwnerAccount | String | No | No | The Alibaba Cloud account that owns the destination security group. This parameter is used to grant access for the current security group to send traffic to other Alibaba Cloud accounts. | None |
SecurityGroupIngress syntax
"SecurityGroupIngress": [
{
"SourceGroupOwnerId": String,
"Description": String,
"PortRange": String,
"SecurityGroupId": String,
"NicType": String,
"SourceGroupOwnerAccount": String,
"Priority": Integer,
"SourceGroupId": String,
"Policy": String,
"IpProtocol": String,
"SourceCidrIp": String
}
]SecurityGroupIngress properties
| Name | Type | Required | Editable | Description | Validity |
|---|---|---|---|---|---|
| SourceGroupOwnerId | String | No | No | The ID of the Alibaba Cloud account that owns the source security group. | None |
| Description | String | No | No | The description of the security group rules. The description must be 1 to 512 characters in length. | None |
| IpProtocol | String | Yes | No | The Internet protocol. | Valid values: tcp, udp, icmp, gre, and all. The value all specifies to support all four protocols. |
| PortRange | String | No | No | The range of port numbers corresponding to the Internet protocol. |
When the IpProtocol parameter is set to tcp or udp, the default port numbers are used, and the port number range is 1 to 65535. For example, 1/200 indicates a port number range of 1 to 200. If you set this parameter to 200/1, an error will be reported when the API is called. When the IpProtocol parameter is set to icmp, the port number range is -1/-1, indicating that all values are valid. When the IpProtocol parameter is set to gre, the port number range is -1/-1, indicating that all values are valid. When the IpProtocol parameter is set to all, the port number range is -1/-1, indicating that all values are valid. |
| SourceGroupId | String | No | No | The ID of the source security group in the same region. | Either the SourceGroupId parameter or the SourceCidrIp parameter must be set. If both parameters are set, the system will authorize the source CIDR block specified by the SourceCidrIp parameter. If the SourceGroupId parameter is specified, but the SourceCidrIp parameter is not, you must set the NicType parameter to intranet. |
| SecurityGroupId | String | No | No | The ID of the security group for which to create the inbound access rules. | None |
| NicType | String | No | No | The network type. | Valid values: internet and intranet. Default value: internet. |
| SourceGroupOwnerAccount | String | No | No | The Alibaba Cloud account that owns the source security group. This parameter is used to grant access for the current security group to send traffic to other Alibaba Cloud accounts. | None |
| Priority | Integer | No | No | The priority of the authorization policy. | Valid values: 1 to 100. Default value: 1. |
| SourceCidrIp | String | No | No | The source CIDR block. | The CIDR block must be specified in CIDR notation. The default value is 0.0.0.0/0, indicating that access from any IP addresses is allowed. Examples of other supported formats include 10.159.6.18/12. Only IPv4 addresses are supported. |
| Policy | String | No | No | The authorization policy. | Valid values: accept and drop. Default value: accept. |
Response parameters
Fn::GetAtt
SecurityGroupId: the ID of the security group.
Examples
{
"ROSTemplateFormatVersion" : "2015-09-01",
"Resources" : {
"SG": {
"Type": "ALIYUN::ECS::SecurityGroup",
"Properties": {
"SecurityGroupName": {
"Ref": "SecurityGroupName"
},
"SecurityGroupIngress": [
{
"SourceCidrIp": "0.0.0.0/0",
"IpProtocol": "all",
"NicType": "internet",
"PortRange": "-1/-1",
"Priority": 1
},
{
"SourceCidrIp": "0.0.0.0/0",
"IpProtocol": "all",
"NicType": "intranet",
"PortRange": "-1/-1",
"Priority": 1
}
],
"SecurityGroupEgress": [
{
"IpProtocol": "all",
"DestCidrIp": "0.0.0.0/0",
"NicType": "internet",
"PortRange": "-1/-1",
"Priority": 1
},
{
"IpProtocol": "all",
"DestCidrIp": "0.0.0.0/0",
"NicType": "intranet",
"PortRange": "-1/-1",
"Priority": 1
}
],
"VpcId": {
"Ref": "Vpc"
}
}
}
},
"Outputs": {
"SecurityGroupId": {
"Value" : {"Fn::GetAtt": ["SG","SecurityGroupId"]}
}
}
}