ALIYUN::ECS::SecurityGroup is used to create a security group.

Syntax

{
  "Type": "ALIYUN::ECS::SecurityGroup",
  "Properties": {
    "VpcId": String,
    "Description": String,
    "SecurityGroupName": String,
    "Tags": List,
    "SecurityGroupEgress": List,
    "SecurityGroupIngress": List,
    "ResourceGroupId": String,
    "SecurityGroupType": String
  }
}

Properties

Property Type Required Editable Description Constraint
ResourceGroupId String No Yes The ID of the resource group to which the security group belongs. None
VpcId String No No The ID of the virtual private cloud (VPC) in which you want to create the security group. None
Description String No No The description of the security group. The description must be 2 to 256 characters in length.
Tags List No Yes The tags of the security group. You can specify up to 20 tags.

For more information, see Tags properties.

SecurityGroupName String No No The name of the security group. By default, this property is empty.
  • The name must be 2 to 128 characters in length.
  • The name must start with a letter but cannot start with http:// or https://.
  • The name can contain letters, digits, periods (.), underscores (_), and hyphens (-).
SecurityGroupEgress List No Yes The outbound rule of the security group. For more information, see SecurityGroupEgress properties.
SecurityGroupIngress List No Yes The inbound rule of the security group. For more information, see SecurityGroupIngress properties.
SecurityGroupType String No No The type of the security group. Valid values:
  • normal: basic security group
  • enterprise: advanced security group

Tags syntax

"Tags": [
  {
    "Value" : String,
    "Key" : String
  }
]

Tags properties

Property Type Required Editable Description Constraint
Key String Yes No The tag key of the security group. The tag key must be 1 to 128 characters in length and cannot contain http:// or https://. It cannot start with acs: or aliyun.
Value String No No The tag value of the security group. The tag value must be 0 to 128 characters in length and cannot contain http:// or https://. It cannot start with acs: or aliyun.

SecurityGroupEgress syntax

"SecurityGroupEgress": [
  {
    "Description": String,
    "PortRange": String,
    "SecurityGroupId": String,
    "NicType": String,
    "Priority": Integer,
    "DestGroupId": String,
    "DestCidrIp": String,
    "Policy": String,
    "IpProtocol": String,
    "DestGroupOwnerId": String,
    "Ipv6DestCidrIp": String,
    "DestPrefixListId": String
  }
]

SecurityGroupEgress properties

Property Type Required Editable Description Constraint
Description String No Yes The description of the security group rule. The description must be 1 to 512 characters in length.
DestGroupOwnerId String No No The ID of the Alibaba Cloud account that is used to manage the destination security group when you configure a security group rule across multiple Alibaba Cloud accounts. If you do not specify the DestGroupOwnerId property, the access permissions are configured for another security group that is managed by your Alibaba Cloud account. If you specify the DestCidrIp property, the DestGroupOwnerId property is ignored.
IpProtocol String Yes No The transport layer protocol. Valid values:
  • tcp
  • udp
  • icmp
  • gre
  • all: All the preceding protocols are supported.
PortRange String Yes No The range of destination port numbers that correspond to the transport layer protocol.
  • Valid values if you set the IpProtocol property to tcp or udp: 1 to 65535. Separate the start port number and the end port number with a forward slash (/).
    • Correct example: 1/200.
    • Incorrect example: 200/1.
  • Valid values if you set the IpProtocol property to icmp: -1/-1.
  • Valid values if you set the IpProtocol property to gre: -1/-1.
  • Valid values if you set the IpProtocol property to all: -1/-1.
SecurityGroupId String No No The ID of the security group for which you want to create an outbound rule. None
NicType String No No The network type. Default value: internet. Valid values:
  • internet
  • intranet
DestPrefixListId String No No The ID of the destination prefix list to which you want to control outbound access. You can call the DescribePrefixLists operation to query the IDs of available prefix lists.

If a security group is in the classic network, you cannot configure prefix lists in the security group rules.

If you specify one of the DestCidrIp, Ipv6DestCidrIp, and DestGroupId properties, DestPrefixListId is ignored.

Priority Integer No No The priority of the authorization policy. Valid values: 1 to 100.

Default value: 1.

DestGroupId String No No The ID of the destination security group within the same region. You must specify at least one of the DestGroupId and DestCidrIp properties.
  • If you specify both the DestGroupId and DestCidrIp properties, DestCidrIp takes precedence.
  • If you specify only the DestGroupId property, set the NicType property to intranet.
DestCidrIp String No No The destination IPv4 CIDR block. The value must be in the CIDR format.

The default value is 0.0.0.0/0, which includes all possible IPv4 addresses.

Examples of other supported formats include 10.159.XX.XX/12.

You can specify up to 10 IP addresses or CIDR blocks. Separate multiple IP addresses or CIDR blocks with commas (,).

Note Only IPv4 addresses are supported.
Policy String No No The authorization policy. Default value: accept. Valid values:
  • accept: allows access.
  • drop: denies access.
Ipv6DestCidrIp String No No The destination IPv6 CIDR block. IPv6 addresses in the CIDR format are supported. You can specify only the IP addresses of ECS instances of the VPC type.

SecurityGroupIngress syntax

"SecurityGroupIngress": [
  {
    "SourceGroupOwnerId": String,
    "Description": String,
    "PortRange": String,
    "SecurityGroupId": String,
    "NicType": String,
    "Ipv6SourceCidrIp": String,
    "Priority": Integer,
    "SourceGroupId": String,
    "Policy": String,
    "IpProtocol": String,
    "SourcePortRange": String,
    "SourceCidrIp": String,
    "SourcePrefixListId": String
  }
]

SecurityGroupIngress properties

Property Type Required Editable Description Constraint
SourceGroupOwnerId String No No The ID of the Alibaba Cloud account to which the source security group belongs. None
Description String No Yes The description of the security group rule. The description must be 1 to 512 characters in length.
SourcePrefixListId String No No The ID of the source prefix list to which you want to control inbound access. You can call the DescribePrefixLists operation to query the IDs of available prefix lists.

If a security group is in the classic network, you cannot configure prefix lists in the security group rules.

If you specify one of the SourceCidrIp, Ipv6DestCidrIp, and DestGroupId properties, SourcePrefixListId is ignored.

IpProtocol String Yes No The transport layer protocol. Valid values:
  • tcp
  • udp
  • icmp
  • gre
  • all: All the preceding protocols are supported.
PortRange String Yes No The range of destination port numbers that correspond to the transport layer protocol.
  • Valid values if you set the IpProtocol property to tcp or udp: 1 to 65535. Separate the start port number and the end port number with a forward slash (/).
    • Correct example: 1/200.
    • Incorrect example: 200/1.
  • Valid values if you set the IpProtocol property to icmp: -1/-1.
  • Valid values if you set the IpProtocol property to gre: -1/-1.
  • Valid values if you set the IpProtocol property to all: -1/-1.
SourceGroupId String No No The ID of the source security group within the same region. You must specify the SourceGroupId property or the SourceCidrIp property.

If you specify both the SourceGroupId and SourceCidrIp properties, SourceCidrIp takes precedence.

If you specify only the SourceGroupId property, set the NicType property to intranet.

SecurityGroupId String No No The ID of the security group for which you want to create an inbound rule. None
NicType String No No The network type. Default value: internet. Valid values:
  • internet
  • intranet
Priority Integer No No The priority of the authorization policy. Valid values: 1 to 100.

Default value: 1.

SourceCidrIp String No No The source IPv4 CIDR block. The value must be in the CIDR format.

The default value is 0.0.0.0/0, which includes all possible IP addresses.

Examples of other supported formats include 10.159.XX.XX/12.

You can specify up to 10 IP addresses or CIDR blocks. Separate multiple IP addresses or CIDR blocks with commas (,).

Note Only IPv4 CIDR blocks are supported.
Policy String No No The authorization policy. Default value: accept. Valid values:
  • accept: allows access.
  • drop: denies access.
SourcePortRange String No No The range of source port numbers that correspond to the transport layer protocol.
  • Valid values if you set the IpProtocol property to tcp or udp: 1 to 65535. Separate the start port number and the end port number with a forward slash (/).
    • Correct example: 1/200.
    • Incorrect example: 200/1.
  • Valid values if you set the IpProtocol property to icmp: -1/-1.
  • Valid values if you set the IpProtocol property to gre: -1/-1.
  • Valid values if you set the IpProtocol property to all: -1/-1.
Ipv6SourceCidrIp String No No The source IPv6 CIDR block. You can specify only the IP addresses of ECS instances of the VPC type. IPv6 addresses in the CIDR format are supported.

Return values

Fn::GetAtt

  • SecurityGroupId: the ID of the security group.
  • SecurityGroupName: the name of the security group.

Examples

  • YAML format

    ROSTemplateFormatVersion: '2015-09-01'
    Parameters:
      Description:
        Description: Description of the security group, [2, 256] characters. Do not fill
          or empty, the default is empty.
        Type: String
      ResourceGroupId:
        Description: Resource group id.
        Type: String
      SecurityGroupEgress:
        Description: egress rules for the security group.
        Type: Json
      SecurityGroupIngress:
        Description: Ingress rules for the security group.
        Type: Json
      SecurityGroupName:
        Description: Display name of the security group, [2, 128] English or Chinese characters,
          must start with a letter or Chinese in size, can contain numbers, '_' or '.',
          '-'
        Type: String
      SecurityGroupType:
        AllowedValues:
        - normal
        - enterprise
        Description: 'The type of the security group. Valid values:
    
          normal: basic security group
    
          enterprise: advanced security group'
        Type: String
      Tags:
        Description: Tags to attach to instance. Max support 20 tags to add during create
          instance. Each tag with two properties Key and Value, and Key is required.
        MaxLength: 20
        Type: Json
      VpcId:
        Description: Physical ID of the VPC.
        Type: String
    Resources:
      SecurityGroup:
        Properties:
          Description:
            Ref: Description
          ResourceGroupId:
            Ref: ResourceGroupId
          SecurityGroupEgress:
            Ref: SecurityGroupEgress
          SecurityGroupIngress:
            Ref: SecurityGroupIngress
          SecurityGroupName:
            Ref: SecurityGroupName
          SecurityGroupType:
            Ref: SecurityGroupType
          Tags:
            Ref: Tags
          VpcId:
            Ref: VpcId
        Type: ALIYUN::ECS::SecurityGroup
    Outputs:
      SecurityGroupId:
        Description: generated security group id for security group.
        Value:
          Fn::GetAtt:
          - SecurityGroup
          - SecurityGroupId
      SecurityGroupName:
        Description: The name of security group.
        Value:
          Fn::GetAtt:
          - SecurityGroup
          - SecurityGroupName
  • JSON format

    {
      "ROSTemplateFormatVersion": "2015-09-01",
      "Parameters": {
        "Description": {
          "Type": "String",
          "Description": "Description of the security group, [2, 256] characters. Do not fill or empty, the default is empty."
        },
        "VpcId": {
          "Type": "String",
          "Description": "Physical ID of the VPC."
        },
        "SecurityGroupName": {
          "Type": "String",
          "Description": "Display name of the security group, [2, 128] English or Chinese characters, must start with a letter or Chinese in size, can contain numbers, '_' or '.', '-'"
        },
        "ResourceGroupId": {
          "Type": "String",
          "Description": "Resource group id."
        },
        "SecurityGroupType": {
          "Type": "String",
          "Description": "The type of the security group. Valid values:\nnormal: basic security group\nenterprise: advanced security group",
          "AllowedValues": [
            "normal",
            "enterprise"
          ]
        },
        "SecurityGroupIngress": {
          "Type": "Json",
          "Description": "Ingress rules for the security group."
        },
        "Tags": {
          "Type": "Json",
          "Description": "Tags to attach to instance. Max support 20 tags to add during create instance. Each tag with two properties Key and Value, and Key is required.",
          "MaxLength": 20
        },
        "SecurityGroupEgress": {
          "Type": "Json",
          "Description": "egress rules for the security group."
        }
      },
      "Resources": {
        "SecurityGroup": {
          "Type": "ALIYUN::ECS::SecurityGroup",
          "Properties": {
            "Description": {
              "Ref": "Description"
            },
            "VpcId": {
              "Ref": "VpcId"
            },
            "SecurityGroupName": {
              "Ref": "SecurityGroupName"
            },
            "ResourceGroupId": {
              "Ref": "ResourceGroupId"
            },
            "SecurityGroupType": {
              "Ref": "SecurityGroupType"
            },
            "SecurityGroupIngress": {
              "Ref": "SecurityGroupIngress"
            },
            "Tags": {
              "Ref": "Tags"
            },
            "SecurityGroupEgress": {
              "Ref": "SecurityGroupEgress"
            }
          }
        }
      },
      "Outputs": {
        "SecurityGroupName": {
          "Description": "The name of security group.",
          "Value": {
            "Fn::GetAtt": [
              "SecurityGroup",
              "SecurityGroupName"
            ]
          }
        },
        "SecurityGroupId": {
          "Description": "generated security group id for security group.",
          "Value": {
            "Fn::GetAtt": [
              "SecurityGroup",
              "SecurityGroupId"
            ]
          }
        }
      }
    }

To visit more examples, visit JoinSecurityGroup.json and JoinSecurityGroup.yml. In the examples, the ALIYUN::ECS::SecurityGroup and ALIYUN::ECS::JoinSecurityGroup resource types are used.