ALIYUN::ECS::SecurityGroupIngress is used to create an inbound access rule for a security group.

Syntax

{
  "Type": "ALIYUN::ECS::SecurityGroupIngress",
  "Properties": {
    "SourceGroupOwnerId": String,
    "Description": String,
    "PortRange": String,
    "SecurityGroupId": String,
    "NicType": String,
    "Ipv6SourceCidrIp": String,
    "Priority": Integer,
    "SourceGroupId": String,
    "Policy": String,
    "IpProtocol": String,
    "SourcePortRange": String,
    "SourceCidrIp": String,
    "SourcePrefixListId": String
  }
}

Properties

Property Type Required Editable Description Constraint
IpProtocol String Yes No The transport layer protocol. Valid values:
  • tcp.
  • udp.
  • icmp.
  • gre.
  • all: All the preceding protocols are supported.
PortRange String Yes No The range of ports that you want to configure for the transport layer protocol in the destination security group. Valid values:
  • Valid values if you set the IpProtocol property to tcp or udp: 1 to 65535. Separate the start port number and the end port number with a forward slash (/). Correct example: 1/200. Incorrect example: 200/1.
  • Valid value if you set the IpProtocol property to icmp: -1/-1.
  • Valid value if you set the IpProtocol property to gre: -1/-1.
  • Valid value if you set the IpProtocol property to all: -1/-1.

For more information about the scenarios of ports, see Typical applications of commonly used ports.

SourcePrefixListId String No No The ID of the destination prefix list on which you want to grant inbound access permissions. You can call the DescribePrefixLists operation to query the IDs of available prefix lists.

If a security group is in the classic network, you cannot configure prefix lists in the security group rule. For more information, see the "Security group limits" section in Limits.

If you specify the SourceCidrIp, Ipv6SourceCidrIp, or SourceFroupId property, the system ignores the value of the SourcePrefixListId property.

SourceGroupId String No No The ID of the source security group on which you want to grant inbound access permissions. You must specify at least one of the SourceGroupId and SourceCidrIp properties.

If you specify the SourceGroupId property, but leave the SourceCidrIp property empty, you must set the NicType property to intranet.

If you specify both the SourceGroupId and SourceCidrIp properties, the value of the SourceCidrIp property is used.
SecurityGroupId String No No The ID of the security group for which you want to create the inbound access rule. None
NicType String No No The type of the network interface controller (NIC). Default value: internet. Valid values:
  • internet: public NIC
  • intranet: internal NIC
If you specify the DestGroupId property, but leave the DestCidrIp property empty, you must set the NicType property to intranet.
Priority Integer No No The priority of the security group rule. Valid values: 1 to 100.

Default value: 1.

SourceCidrIp String No No The source IPv4 CIDR block. Only IPv4 CIDR blocks are supported.
Policy String No No The action of the rule that determines whether to accept inbound access. Default value: accept. Valid values:
  • accept
  • drop
SourceGroupOwnerId String No No The ID of the Alibaba Cloud account that is used to manage the source security group when you configure a security group rule across accounts. If you leave this property empty, the inbound access permissions are granted on other security groups within your account.

If you specify the SourceCidrIp property, the system ignores the value of the SourceGroupOwnerId property.

Description String No Yes The description of the security group rule. The description must be 1 to 512 characters in length.
SourcePortRange String No No The range of ports that you want to configure for the transport layer protocol in the source security group. Valid values:
  • Valid values if you set the IpProtocol property to tcp or udp: 1 to 65535. Separate the start port number and the end port number with a forward slash (/). Correct example: 1/200. Incorrect example: 200/1.
  • Valid value if you set the IpProtocol property to icmp: -1/-1.
  • Valid value if you set the IpProtocol property to gre: -1/-1.
  • Valid value if you set the IpProtocol property to all: -1/-1.
Ipv6SourceCidrIp String No No The source IPv6 CIDR block. CIDR blocks and IPv6 addresses are supported. You can specify only the IP addresses of the virtual private cloud (VPC) type.

Return values

Fn::GetAtt

None.

Examples

  • YAML format

    ROSTemplateFormatVersion: '2015-09-01'
    Parameters:
      SourceGroupId:
        Type: String
        Description: Source Group Id
      Policy:
        Type: String
        Description: >-
          Authorization policies, parameter values can be: accept (accepted access),
          drop (denied access). Default value is accept.
        AllowedValues:
          - accept
          - drop
      PortRange:
        Type: String
        Description: >-
          Ip protocol relative port range. For tcp and udp, the port rang is
          [1,65535], using format '1/200'For icmp|gre|all protocel, the port range
          should be '-1/-1'
      Description:
        Type: String
        Description: >-
          Description of the security group rule, [1, 512] characters. The default
          is empty.
        MinLength: 1
        MaxLength: 512
      SourcePortRange:
        Type: String
        Description: >-
          The range of the ports enabled by the source security group for the
          transport layer protocol. Valid values: TCP/UDP: Value range: 1 to 65535.
          The start port and the end port are separated by a slash (/). Correct
          example: 1/200. Incorrect example: 200/1.ICMP: -1/-1.GRE: -1/-1.ALL:
          -1/-1.
      Priority:
        Type: Number
        Description: 'Authorization policies priority range[1, 100]'
        MinValue: 1
        MaxValue: 100
        Default: 1
      SecurityGroupId:
        Type: String
        Description: Id of the security group.
      SourceCidrIp:
        Type: String
        Description: Source CIDR Ip Address range. Only IPV4 supported.
      SourceGroupOwnerId:
        Type: String
        Description: Source Group Owner Account ID
      IpProtocol:
        Type: String
        Description: Ip protocol for in rule.
        AllowedValues:
          - tcp
          - udp
          - icmp
          - gre
          - all
      Ipv6SourceCidrIp:
        Type: String
        Description: >-
          Source IPv6 CIDR address segment. Supports IP address ranges in CIDR
          format and IPv6 format.
    
          Note Only VPC type IP addresses are supported.
      NicType:
        Type: String
        Description: >-
          Network type, could be 'internet' or 'intranet'. Default value is
          internet.
        AllowedValues:
          - internet
          - intranet
    Resources:
      SecurityGroupIngress:
        Type: 'ALIYUN::ECS::SecurityGroupIngress'
        Properties:
          SourceGroupId:
            Ref: SourceGroupId
          Policy:
            Ref: Policy
          PortRange:
            Ref: PortRange
          Description:
            Ref: Description
          SourcePortRange:
            Ref: SourcePortRange
          Priority:
            Ref: Priority
          SecurityGroupId:
            Ref: SecurityGroupId
          SourceCidrIp:
            Ref: SourceCidrIp
          SourceGroupOwnerId:
            Ref: SourceGroupOwnerId
          IpProtocol:
            Ref: IpProtocol
          Ipv6SourceCidrIp:
            Ref: Ipv6SourceCidrIp
          NicType:
            Ref: NicType
  • JSON format

    {
      "ROSTemplateFormatVersion": "2015-09-01",
      "Parameters": {
        "SourceGroupId": {
          "Type": "String",
          "Description": "Source Group Id"
        },
        "Policy": {
          "Type": "String",
          "Description": "Authorization policies, parameter values can be: accept (accepted access), drop (denied access). Default value is accept.",
          "AllowedValues": [
            "accept",
            "drop"
          ]
        },
        "PortRange": {
          "Type": "String",
          "Description": "Ip protocol relative port range. For tcp and udp, the port rang is [1,65535], using format '1/200'For icmp|gre|all protocel, the port range should be '-1/-1'"
        },
        "Description": {
          "Type": "String",
          "Description": "Description of the security group rule, [1, 512] characters. The default is empty.",
          "MinLength": 1,
          "MaxLength": 512
        },
        "SourcePortRange": {
          "Type": "String",
          "Description": "The range of the ports enabled by the source security group for the transport layer protocol. Valid values: TCP/UDP: Value range: 1 to 65535. The start port and the end port are separated by a slash (/). Correct example: 1/200. Incorrect example: 200/1.ICMP: -1/-1.GRE: -1/-1.ALL: -1/-1."
        },
        "Priority": {
          "Type": "Number",
          "Description": "Authorization policies priority range[1, 100]",
          "MinValue": 1,
          "MaxValue": 100,
          "Default": 1
        },
        "SecurityGroupId": {
          "Type": "String",
          "Description": "Id of the security group."
        },
        "SourceCidrIp": {
          "Type": "String",
          "Description": "Source CIDR Ip Address range. Only IPV4 supported."
        },
        "SourceGroupOwnerId": {
          "Type": "String",
          "Description": "Source Group Owner Account ID"
        },
        "IpProtocol": {
          "Type": "String",
          "Description": "Ip protocol for in rule.",
          "AllowedValues": [
            "tcp",
            "udp",
            "icmp",
            "gre",
            "all"
          ]
        },
        "Ipv6SourceCidrIp": {
          "Type": "String",
          "Description": "Source IPv6 CIDR address segment. Supports IP address ranges in CIDR format and IPv6 format.\nNote Only VPC type IP addresses are supported."
        },
        "NicType": {
          "Type": "String",
          "Description": "Network type, could be 'internet' or 'intranet'. Default value is internet.",
          "AllowedValues": [
            "internet",
            "intranet"
          ]
        }
      },
      "Resources": {
        "SecurityGroupIngress": {
          "Type": "ALIYUN::ECS::SecurityGroupIngress",
          "Properties": {
            "SourceGroupId": {
              "Ref": "SourceGroupId"
            },
            "Policy": {
              "Ref": "Policy"
            },
            "PortRange": {
              "Ref": "PortRange"
            },
            "Description": {
              "Ref": "Description"
            },
            "SourcePortRange": {
              "Ref": "SourcePortRange"
            },
            "Priority": {
              "Ref": "Priority"
            },
            "SecurityGroupId": {
              "Ref": "SecurityGroupId"
            },
            "SourceCidrIp": {
              "Ref": "SourceCidrIp"
            },
            "SourceGroupOwnerId": {
              "Ref": "SourceGroupOwnerId"
            },
            "IpProtocol": {
              "Ref": "IpProtocol"
            },
            "Ipv6SourceCidrIp": {
              "Ref": "Ipv6SourceCidrIp"
            },
            "NicType": {
              "Ref": "NicType"
            }
          }
        }
      }
    }