All Products
Search
Document Center

Resource Orchestration Service:ALIYUN::ECS::SecurityGroup

Last Updated:Sep 11, 2023

ALIYUN::ECS::SecurityGroup is used to create a security group.

Syntax

{
  "Type": "ALIYUN::ECS::SecurityGroup",
  "Properties": {
    "VpcId": String,
    "Description": String,
    "SecurityGroupName": String,
    "Tags": List,
    "SecurityGroupEgress": List,
    "SecurityGroupIngress": List,
    "ResourceGroupId": String,
    "SecurityGroupType": String
  }
}

Properties

Property

Type

Required

Editable

Description

Constraint

ResourceGroupId

String

No

Yes

The ID of the resource group to which the security group belongs.

None.

VpcId

String

No

No

The ID of the virtual private cloud (VPC).

None.

Description

String

No

No

The description of the security group.

The description must be 2 to 256 characters in length.

Tags

List

No

Yes

The tags of the security group.

You can add up to 20 tags.

For more information, see Tags properties.

SecurityGroupName

String

No

No

The name of the security group.

By default, this property is empty.

  • The name must be 2 to 128 characters in length.

  • It must start with a letter and cannot start with http:// or https://.

  • It can contain letters, digits, periods (.), underscores (_), and hyphens (-).

SecurityGroupEgress

List

No

Yes

The outbound rule of the security group.

For more information, see SecurityGroupEgress properties.

SecurityGroupIngress

List

No

Yes

The inbound rule of the security group.

For more information, see SecurityGroupIngress properties.

SecurityGroupType

String

No

No

The type of the security group.

Valid values:

  • normal: basic security group

  • enterprise: advanced security group

Tags syntax

"Tags": [
  {
    "Value" : String,
    "Key" : String
  }
]

Tags properties

Property

Type

Required

Editable

Description

Constraint

Key

String

Yes

No

The key of the tag.

The tag key must be 1 to 128 characters in length, and cannot contain http:// or https://. It cannot start with aliyun or acs:.

Value

String

No

No

The value of the tag.

The tag value can be up to 128 characters in length, and cannot contain http:// or https://. It cannot start with aliyun or acs:.

SecurityGroupEgress syntax

"SecurityGroupEgress": [
  {
    "Description": String,
    "PortRange": String,
    "SecurityGroupId": String,
    "NicType": String,
    "Priority": Integer,
    "DestGroupId": String,
    "DestCidrIp": String,
    "Policy": String,
    "IpProtocol": String,
    "DestGroupOwnerId": String,
    "Ipv6DestCidrIp": String,
    "DestPrefixListId": String
  }
]

SecurityGroupEgress properties

Property

Type

Required

Editable

Description

Constraint

Description

String

No

Yes

The description of the outbound rule.

The description must be 1 to 512 characters in length.

DestGroupOwnerId

String

No

No

The ID of the Alibaba Cloud account to which the destination security group belongs when you configure a security group rule across accounts.

If you do not specify DestGroupOwnerId, the access permissions are configured for another security group that belongs to your Alibaba Cloud account. If you specify DestCidrIp, DestGroupOwnerId is ignored.

IpProtocol

String

Yes

No

The transport layer protocol.

Valid values:

  • tcp: The Transmission Control Protocol (TCP) protocol is supported.

  • udp: The User Datagram Protocol (UDP) protocol is supported.

  • icmp: The Internet Control Message Protocol (ICMP) protocol is supported.

  • gre: The Generic Routing Encapsulation (GRE) protocol is supported.

  • all: All the preceding protocols are supported.

PortRange

String

Yes

No

The range of port numbers that correspond to the transport layer protocol for the destination security group.

  • Value format when IpProtocol is set to tcp or udp: X/Y. X is the start port and Y is the end port. X and Y range from 1 to 65535. Separate X and Y with a forward slash (/).

    • Example of a valid value: 1/200.

    • Example of an invalid value: 200/1.

  • Valid value when IpProtocol is set to icmp: -1/-1.

  • Valid value when IpProtocol is set to gre: -1/-1.

  • Valid value when IpProtocol is set to all: -1/-1.

SecurityGroupId

String

No

No

The ID of the security group for which you want to create the outbound rule.

None.

NicType

String

No

No

The type of the network interface controller (NIC).

Valid values:

  • internet (default)

  • intranet

DestPrefixListId

String

No

No

The ID of the destination prefix list for outbound access control.

You can call the DescribePrefixLists operation of Elastic Compute Service (ECS) to query the IDs of available prefix lists.

If a security group is in the classic network, you cannot reference prefix lists in the security group rules.

If you specify one of DestCidrIp, Ipv6DestCidrIp, and DestGroupId, DestPrefixListId is ignored.

Priority

Integer

No

No

The priority of the authorization policy.

Valid values: 1 to 100.

Default value: 1.

DestGroupId

String

No

No

The ID of the destination security group in the same region as the security group that you create.

You must specify one of DestGroupId and DestCidrIp.

  • If you specify both DestGroupId and DestCidrIp, DestCidrIp takes precedence.

  • If you specify only DestGroupId, you must set NicType to intranet.

DestCidrIp

String

No

No

The destination IPv4 CIDR block.

The value must be in the CIDR format.

Default value: 0.0.0.0/0. This value specifies that all IP addresses are available.

Example: 10.159.XX.XX/12.

You can specify up to 10 IP addresses or CIDR blocks. Separate multiple IP addresses or CIDR blocks with commas (,).

Note

Only IPv4 addresses are supported.

Policy

String

No

No

The rule action that determines whether to allow outbound access.

Valid values:

  • accept (default): allows outbound access.

  • drop: denies outbound access.

Ipv6DestCidrIp

String

No

No

The destination IPv6 CIDR block.

The value must be in the CIDR format. You can specify only IP addresses of the VPC type.

SecurityGroupIngress syntax

"SecurityGroupIngress": [
  {
    "SourceGroupOwnerId": String,
    "Description": String,
    "PortRange": String,
    "SecurityGroupId": String,
    "NicType": String,
    "Ipv6SourceCidrIp": String,
    "Priority": Integer,
    "SourceGroupId": String,
    "Policy": String,
    "IpProtocol": String,
    "SourcePortRange": String,
    "SourceCidrIp": String,
    "SourcePrefixListId": String
  }
]

SecurityGroupIngress properties

Property

Type

Required

Editable

Description

Constraint

SourceGroupOwnerId

String

No

No

The ID of the Alibaba Cloud account to which the source security group belongs.

None.

Description

String

No

Yes

The description of the inbound rule.

The description must be 1 to 512 characters in length.

SourcePrefixListId

String

No

No

The ID of the source prefix list for inbound access control.

You can call the DescribePrefixLists operation of ECS to query the IDs of available prefix lists.

If a security group is in the classic network, you cannot reference prefix lists in the security group rules.

If you specify one of SourceCidrIp, Ipv6DestCidrIp, and DestGroupId, SourcePrefixListId is ignored.

IpProtocol

String

Yes

No

The transport layer protocol.

Valid values:

  • tcp: The TCP protocol is supported.

  • udp: The UDP protocol is supported.

  • icmp: The ICMP protocol is supported.

  • gre: The GRE protocol is supported.

  • all: All the preceding protocols are supported.

PortRange

String

Yes

No

The range of port numbers that correspond to the transport layer protocol for the destination security group.

  • Value format when IpProtocol is set to tcp or udp: X/Y. X is the start port and Y is the end port. X and Y range from 1 to 65535. Separate X and Y with a forward slash (/).

    • Example of a valid value: 1/200.

    • Example of an invalid value: 200/1.

  • Valid value when IpProtocol is set to icmp: -1/-1.

  • Valid value when IpProtocol is set to gre: -1/-1.

  • Valid value when IpProtocol is set to all: -1/-1.

SourceGroupId

String

No

No

The ID of the source security group in the same region as the security group that you create.

You must specify one of SourceGroupId and SourceCidrIp.

If you specify both SourceGroupId and SourceCidrIp, SourceCidrIp takes precedence.

If you specify only SourceGroupId, you must set NicType to intranet.

SecurityGroupId

String

No

No

The ID of the security group for which you want to create the inbound rule.

None.

NicType

String

No

No

The type of the NIC.

Valid values:

  • internet (default)

  • intranet

Priority

Integer

No

No

The priority of the authorization policy.

Valid values: 1 to 100.

Default value: 1.

SourceCidrIp

String

No

No

The source IPv4 CIDR block.

The value must be in the CIDR format.

Default value: 0.0.0.0/0. This value specifies that all IP addresses are available.

Example: 10.159.XX.XX/12.

You can specify up to 10 IP addresses or CIDR blocks. Separate multiple IP addresses or CIDR blocks with commas (,).

Note

Only IPv4 CIDR blocks are supported.

Policy

String

No

No

The rule action that determines whether to allow inbound access.

Valid values:

  • accept (default): allows inbound access.

  • drop: denies inbound access.

SourcePortRange

String

No

No

The range of port numbers that correspond to the transport layer protocol for the source security group.

  • Value format when IpProtocol is set to tcp or udp: X/Y. X is the start port and Y is the end port. X and Y range from 1 to 65535. Separate X and Y with a forward slash (/).

    • Example of a valid value: 1/200.

    • Example of an invalid value: 200/1.

  • Valid value when IpProtocol is set to icmp: -1/-1.

  • Valid value when IpProtocol is set to gre: -1/-1.

  • Valid value when IpProtocol is set to all: -1/-1.

Ipv6SourceCidrIp

String

No

No

The source IPv6 CIDR block.

You can specify only IP addresses of the VPC type. The value must be in the CIDR format.

Return values

Fn::GetAtt

  • SecurityGroupId: the ID of the security group.

  • SecurityGroupName: the name of the security group.

Description

  • YAML format

    ROSTemplateFormatVersion: '2015-09-01'
    Resources:
      SecurityGroup:
        Type: 'ALIYUN::ECS::SecurityGroup'
        Properties:
          SecurityGroupIngress:
            - PortRange: 22/22
              SourceCidrIp: 0.0.0.0/0
              IpProtocol: tcp
            - PortRange: 80/80
              SourceCidrIp: 0.0.0.0/0
              IpProtocol: tcp
          SecurityGroupType: normal
          VpcId:
            Ref: VpcId
          SecurityGroupEgress:
            - PortRange: 443/443
              DestCidrIp: 0.0.0.0/0
              IpProtocol: tcp
          SecurityGroupName: TestSecurityGroupName
    Parameters:
      VpcId:
        AssociationProperty: 'ALIYUN::ECS::VPC::VPCId'
        Type: String
        Label:
           
          en: Existing VPC Instance ID
    Outputs:
      SecurityGroupId:
        Description: generated security group id for security group.
        Value:
          'Fn::GetAtt':
            - SecurityGroup
            - SecurityGroupId
      SecurityGroupName:
        Description: The name of security group.
        Value:
          'Fn::GetAtt':
            - SecurityGroup
            - SecurityGroupName

  • JSON format

    {
      "ROSTemplateFormatVersion": "2015-09-01",
      "Resources": {
        "SecurityGroup": {
          "Type": "ALIYUN::ECS::SecurityGroup",
          "Properties": {
            "SecurityGroupIngress": [
              {
                "PortRange": "22/22",
                "SourceCidrIp": "0.0.0.0/0",
                "IpProtocol": "tcp"
              },
              {
                "PortRange": "80/80",
                "SourceCidrIp": "0.0.0.0/0",
                "IpProtocol": "tcp"
              }
            ],
            "SecurityGroupType": "normal",
            "VpcId": {
              "Ref": "VpcId"
            },
            "SecurityGroupEgress": [
              {
                "PortRange": "443/443",
                "DestCidrIp": "0.0.0.0/0",
                "IpProtocol": "tcp"
              }
            ],
            "SecurityGroupName": "TestSecurityGroupName"
          }
        }
      },
      "Parameters": {
        "VpcId": {
          "AssociationProperty": "ALIYUN::ECS::VPC::VPCId",
          "Type": "String",
          "Label": {
             
            "en": "Existing VPC Instance ID"
          }
        }
      },
      "Outputs": {
        "SecurityGroupId": {
          "Description": "generated security group id for security group.",
          "Value": {
            "Fn::GetAtt": [
              "SecurityGroup",
              "SecurityGroupId"
            ]
          }
        },
        "SecurityGroupName": {
          "Description": "The name of security group.",
          "Value": {
            "Fn::GetAtt": [
              "SecurityGroup",
              "SecurityGroupName"
            ]
          }
        }
      }
    }
    

For more examples, visit JoinSecurityGroup.json and JoinSecurityGroup.yml. In the examples, the ALIYUN::ECS::SecurityGroup and ALIYUN::ECS::JoinSecurityGroup resource types are used.