All Products
Search
Document Center

Resource Orchestration Service:ALIYUN::NLB::SecurityPolicy

Last Updated:Apr 10, 2024

ALIYUN::NLB::SecurityPolicy is used to create a custom security policy for a TCP/SSL listener.

Syntax

{
  "Type": "ALIYUN::NLB::SecurityPolicy",
  "Properties": {
    "Ciphers": List,
    "ResourceGroupId": String,
    "SecurityPolicyName": String,
    "TlsVersions": List,
    "Tags": List
  }
}

Properties

Property

Type

Required

Editable

Description

Constraint

Ciphers

List

Yes

Yes

The supported cipher suites.

The valid values of Ciphers vary based on the version of the Transport Layer Security (TLS) protocol. You can specify up to 32 cipher suites.

Valid values for TLS 1.0 and TLS 1.1:

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-RSA-AES256-SHA

  • AES128-SHA

  • AES256-SHA

  • DES-CBC3-SHA

Valid values for TLS 1.2:

  • ECDHE-ECDSA-AES128-SHA

  • ECDHE-ECDSA-AES256-SHA

  • ECDHE-RSA-AES128-SHA

  • ECDHE-RSA-AES256-SHA

  • AES128-SHA

  • AES256-SHA

  • DES-CBC3-SHA

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES128-SHA256

  • ECDHE-RSA-AES256-SHA384

  • AES128-GCM-SHA256

  • AES256-GCM-SHA384

  • AES128-SHA256

  • AES256-SHA256

Valid values for TLS 1.3:

  • TLS_AES_128_GCM_SHA256

  • TLS_AES_256_GCM_SHA384

  • TLS_CHACHA20_POLY1305_SHA256

  • TLS_AES_128_CCM_SHA256

  • TLS_AES_128_CCM_8_SHA256

ResourceGroupId

String

No

No

The ID of the resource group.

None.

SecurityPolicyName

String

No

Yes

The name of the security policy.

The name must be 1 to 200 characters in length, and can contain letters, digits, periods (.), underscores (_), and hyphens (-).

TlsVersions

List

Yes

Yes

The supported versions of the TLS protocol.

Valid values: TLSv1.0, TLSv1.1, TLSv1.2, and TLSv1.3.

Tags

List

No

Yes

The tags.

You can add up to 20 tags. For more information, see Tags properties.

Tags syntax

"Tags": [
  {
    "Value": String,
    "Key": String
  }
]

Tags properties

Property

Type

Required

Editable

Description

Constraint

Value

String

No

No

The tag value.

The tag value can be an empty string. The tag value can be up to 128 characters in length, and cannot start with acs:. It cannot contain http:// or https://.

Key

String

Yes

No

The tag key.

The tag key cannot be an empty string. The tag key can be up to 128 characters in length, and cannot start with aliyun or acs:. It cannot contain http:// or https://.

Return values

Fn::GetAtt

SecurityPolicyId: the ID of the TLS security policy.

Examples

  • YAML format

    ROSTemplateFormatVersion: '2015-09-01'
    Parameters:
      Ciphers:
        AssociationProperty: List[Parameter]
        AssociationPropertyMetadata:
          Parameter:
            Description:
              en: 'TLS 1.0 and TLS 1.1 support the following cipher suites:
    
                ECDHE-ECDSA-AES128-SHA
    
                ECDHE-ECDSA-AES256-SHA
    
                ECDHE-RSA-AES128-SHA
    
                ECDHE-RSA-AES256-SHA
    
                AES128-SHA
    
                AES256-SHA
    
                DES-CBC3-SHA
    
                TLS 1.2 supports the following cipher suites:
    
                ECDHE-ECDSA-AES128-SHA
    
                ECDHE-ECDSA-AES256-SHA
    
                ECDHE-RSA-AES128-SHA
    
                ECDHE-RSA-AES256-SHA
    
                AES128-SHA
    
                AES256-SHA
    
                DES-CBC3-SHA
    
                ECDHE-ECDSA-AES128-GCM-SHA256
    
                ECDHE-ECDSA-AES256-GCM-SHA384
    
                ECDHE-ECDSA-AES128-SHA256
    
                ECDHE-ECDSA-AES256-SHA384
    
                ECDHE-RSA-AES128-GCM-SHA256
    
                ECDHE-RSA-AES256-GCM-SHA384
    
                ECDHE-RSA-AES128-SHA256
    
                ECDHE-RSA-AES256-SHA384
    
                AES128-GCM-SHA256
    
                AES256-GCM-SHA384
    
                AES128-SHA256
    
                AES256-SHA256
    
                TLS 1.3 supports the following cipher suites:
    
                TLS_AES_128_GCM_SHA256
    
                TLS_AES_256_GCM_SHA384
    
                TLS_CHACHA20_POLY1305_SHA256
    
                TLS_AES_128_CCM_SHA256
    
                TLS_AES_128_CCM_8_SHA256'
            Required: false
            Type: String
        Description:
          en: TThe supported cipher suites, which are determined by the TLS protocol version.
            You can specify at most 32 cipher suites.
        MaxLength: 32
        MinLength: 1
        Required: true
        Type: Json
      ResourceGroupId:
        AssociationProperty: ALIYUN::ECS::ResourceGroup::ResourceGroupId
        Description:
          en: The ID of the resource group.
        Required: false
        Type: String
      SecurityPolicyName:
        Description:
          en: 'The name of the security policy.
    
            The name must be 1 to 200 characters in length, and can contain letters, digits,
            periods (.), underscores (_), and hyphens (-).'
        Required: false
        Type: String
      Tags:
        AssociationProperty: List[Parameters]
        AssociationPropertyMetadata:
          ListMetadata:
            Order:
            - Key
            - Value
          Parameters:
            Key:
              Required: true
              Type: String
            Value:
              Required: false
              Type: String
        Description:
          en: Tags to attach to instance. Max support 20 tags to add during create instance.
            Each tag with two properties Key and Value, and Key is required.
        MaxLength: 20
        Required: false
        Type: Json
      TlsVersions:
        AssociationProperty: List[Parameter]
        AssociationPropertyMetadata:
          Parameter:
            Required: false
            Type: String
        Description:
          en: 'The supported versions of the Transport Layer Security (TLS) protocol.
            Valid values: TLSv1.0, TLSv1.1, TLSv1.2, and TLSv1.3.'
        MaxLength: 4
        MinLength: 1
        Required: true
        Type: Json
    Resources:
      SecurityPolicy:
        Properties:
          Ciphers:
            Ref: Ciphers
          ResourceGroupId:
            Ref: ResourceGroupId
          SecurityPolicyName:
            Ref: SecurityPolicyName
          Tags:
            Ref: Tags
          TlsVersions:
            Ref: TlsVersions
        Type: ALIYUN::NLB::SecurityPolicy
    Outputs:
      SecurityPolicyId:
        Description: The ID of the security policy.
        Value:
          Fn::GetAtt:
          - SecurityPolicy
          - SecurityPolicyId
                            
  • JSON format

    {
      "ROSTemplateFormatVersion": "2015-09-01",
      "Parameters": {
        "Ciphers": {
          "AssociationPropertyMetadata": {
            "Parameter": {
              "Type": "String",
              "Description": {
                "en": "TLS 1.0 and TLS 1.1 support the following cipher suites:\nECDHE-ECDSA-AES128-SHA\nECDHE-ECDSA-AES256-SHA\nECDHE-RSA-AES128-SHA\nECDHE-RSA-AES256-SHA\nAES128-SHA\nAES256-SHA\nDES-CBC3-SHA\nTLS 1.2 supports the following cipher suites:\nECDHE-ECDSA-AES128-SHA\nECDHE-ECDSA-AES256-SHA\nECDHE-RSA-AES128-SHA\nECDHE-RSA-AES256-SHA\nAES128-SHA\nAES256-SHA\nDES-CBC3-SHA\nECDHE-ECDSA-AES128-GCM-SHA256\nECDHE-ECDSA-AES256-GCM-SHA384\nECDHE-ECDSA-AES128-SHA256\nECDHE-ECDSA-AES256-SHA384\nECDHE-RSA-AES128-GCM-SHA256\nECDHE-RSA-AES256-GCM-SHA384\nECDHE-RSA-AES128-SHA256\nECDHE-RSA-AES256-SHA384\nAES128-GCM-SHA256\nAES256-GCM-SHA384\nAES128-SHA256\nAES256-SHA256\nTLS 1.3 supports the following cipher suites:\nTLS_AES_128_GCM_SHA256\nTLS_AES_256_GCM_SHA384\nTLS_CHACHA20_POLY1305_SHA256\nTLS_AES_128_CCM_SHA256\nTLS_AES_128_CCM_8_SHA256"
              },
              "Required": false
            }
          },
          "AssociationProperty": "List[Parameter]",
          "Type": "Json",
          "Description": {
            "en": "TThe supported cipher suites, which are determined by the TLS protocol version. You can specify at most 32 cipher suites."
          },
          "Required": true,
          "MinLength": 1,
          "MaxLength": 32
        },
        "ResourceGroupId": {
          "AssociationProperty": "ALIYUN::ECS::ResourceGroup::ResourceGroupId",
          "Type": "String",
          "Description": {
            "en": "The ID of the resource group."
          },
          "Required": false
        },
        "SecurityPolicyName": {
          "Type": "String",
          "Description": {
            "en": "The name of the security policy.\nThe name must be 1 to 200 characters in length, and can contain letters, digits, periods (.), underscores (_), and hyphens (-)."
          },
          "Required": false
        },
        "TlsVersions": {
          "AssociationPropertyMetadata": {
            "Parameter": {
              "Type": "String",
              "Required": false
            }
          },
          "AssociationProperty": "List[Parameter]",
          "Type": "Json",
          "Description": {
            "en": "The supported versions of the Transport Layer Security (TLS) protocol. Valid values: TLSv1.0, TLSv1.1, TLSv1.2, and TLSv1.3."
          },
          "Required": true,
          "MinLength": 1,
          "MaxLength": 4
        },
        "Tags": {
          "AssociationPropertyMetadata": {
            "Parameters": {
              "Value": {
                "Type": "String",
                "Required": false
              },
              "Key": {
                "Type": "String",
                "Required": true
              }
            },
            "ListMetadata": {
              "Order": [
                "Key",
                "Value"
              ]
            }
          },
          "AssociationProperty": "List[Parameters]",
          "Type": "Json",
          "Description": {
            "en": "Tags to attach to instance. Max support 20 tags to add during create instance. Each tag with two properties Key and Value, and Key is required."
          },
          "Required": false,
          "MaxLength": 20
        }
      },
      "Resources": {
        "SecurityPolicy": {
          "Type": "ALIYUN::NLB::SecurityPolicy",
          "Properties": {
            "Ciphers": {
              "Ref": "Ciphers"
            },
            "ResourceGroupId": {
              "Ref": "ResourceGroupId"
            },
            "SecurityPolicyName": {
              "Ref": "SecurityPolicyName"
            },
            "TlsVersions": {
              "Ref": "TlsVersions"
            },
            "Tags": {
              "Ref": "Tags"
            }
          }
        }
      },
      "Outputs": {
        "SecurityPolicyId": {
          "Description": "The ID of the security policy.",
          "Value": {
            "Fn::GetAtt": [
              "SecurityPolicy",
              "SecurityPolicyId"
            ]
          }
        }
      }
    }