ALIYUN::ECS::SecurityGroupEgress类型用于创建安全组出方向的访问规则。

语法

{
  "Type": "ALIYUN::ECS::SecurityGroupEgress",
  "Properties": {
    "SecurityGroupId": String,
    "IpProtocol": String,
    "PortRange": String,
    "DestGroupId": String,
    "DestCidrIp": String,
    "Policy": String,
    "Priority": String,
    "NicType": String,
    "DestPrefixListId": String,
    "Description": String,    
    "DestGroupOwnerId": String,
    "Ipv6DestCidrIp": String
  }
}

属性

属性名称 类型 必须 允许更新 描述 约束
IpProtocol String 传输层协议。 取值:
  • tcp
  • udp
  • icmp
  • gre
  • all:同时支持四种协议。
PortRange String 目的端安全组开放的传输层协议相关的端口范围。 取值:
  • TCP/UDP协议:1~65535。使用正斜线(/)隔开起始端口和终止端口。正确示例:1/200;错误示例:200/1。
  • ICMP协议:-1/-1。
  • GRE协议:-1/-1。
  • all:-1/-1。

了解端口的应用场景,请参见常用端口

SecurityGroupId String 源端安全组ID。
DestPrefixListId String 需要设置出方向访问权限的目的端前缀列表ID。 您可以调用DescribePrefixLists查询可用的前缀列表ID。

当安全组的网络类型为经典网络时,不支持设置前缀列表。更多信息,请参见安全组使用限制

当您指定了DestCidrIp、Ipv6DestCidrIp或DestGroupId参数中的任意一个时,将忽略该参数。

NicType String 网卡类型。 取值:
  • internet(默认值):公网网卡。
  • intranet:内网网卡。
当设置安全组之间互相访问时,即指定DestGroupId,但未指定DestCidrIp时,该参数取值为intranet。
Priority Integer 安全组规则优先级。 取值范围:1~100。

默认值:1。

DestGroupId String 需要设置访问权限的目的端安全组ID。 至少设置DestGroupId或者DestCidrIp其中一项。

如果指定DestGroupId,但未指定DestCidrIp,则NicType取值为intranet。

如果同时指定DestGroupId和DestCidrIp,则以DestCidrIp的设置为准。

DestCidrIp String 目的端IP地址范围。 支持IPv4格式的IP地址范围。
Policy String 设置访问权限。 取值:
  • accept(默认值):接受访问。
  • drop:拒绝访问。
Description String 安全组规则的描述信息。 长度为1~512个字符。
DestGroupOwnerId String 跨账户设置安全组规则时,目的端安全组所属的阿里云账号ID。 如果DestGroupOwnerId未设置,则认为是设置您其他安全组的访问权限。如果您已经设置DestCidrIp,则DestGroupOwnerId的设置无效。
Ipv6DestCidrIp String 目的端IPv6 CIDR地址段。 支持CIDR格式和IPv6格式的IP地址范围,且仅支持VPC类型的IP地址。

返回值

Fn::GetAtt

无。

示例

JSON格式

{
  "ROSTemplateFormatVersion": "2015-09-01",
  "Parameters": {
    "Policy": {
      "Type": "String",
      "Description": "Authorization policies, parameter values can be: accept (accepted access), drop (denied access). Default value is accept.",
      "AllowedValues": [
        "accept",
        "drop"
      ]
    },
    "PortRange": {
      "Type": "String",
      "Description": "Ip protocol relative port range. For tcp and udp, the port rang is [1,65535], using format '1/200'For icmp|gre|all protocel, the port range should be '-1/-1'"
    },
    "Description": {
      "Type": "String",
      "Description": "Description of the security group rule, [1, 512] characters. The default is empty.",
      "MinLength": 1,
      "MaxLength": 512
    },
    "Priority": {
      "Type": "Number",
      "Description": "Authorization policies priority range[1, 100]",
      "MinValue": 1,
      "MaxValue": 100,
      "Default": 1
    },
    "SecurityGroupId": {
      "Type": "String",
      "Description": "Id of the security group."
    },
    "DestGroupOwnerId": {
      "Type": "String",
      "Description": "Dest Group Owner Account ID"
    },
    "IpProtocol": {
      "Type": "String",
      "Description": "Ip protocol for in rule.",
      "AllowedValues": [
        "tcp",
        "udp",
        "icmp",
        "gre",
        "all"
      ]
    },
    "DestCidrIp": {
      "Type": "String",
      "Description": "Dest CIDR Ip Address range. Only IPV4 supported."
    },
    "NicType": {
      "Type": "String",
      "Description": "Network type, could be 'internet' or 'intranet'. Default value is internet.",
      "AllowedValues": [
        "internet",
        "intranet"
      ]
    },
    "Ipv6DestCidrIp": {
      "Type": "String",
      "Description": "Destination IPv6 CIDR address segment. Supports IP address ranges in CIDR format and IPv6 format.\nNote Only VPC type IP addresses are supported."
    },
    "DestGroupId": {
      "Type": "String",
      "Description": "Dest Group Id"
    }
  },
  "Resources": {
    "SecurityGroupEgress": {
      "Type": "ALIYUN::ECS::SecurityGroupEgress",
      "Properties": {
        "Policy": {
          "Ref": "Policy"
        },
        "PortRange": {
          "Ref": "PortRange"
        },
        "Description": {
          "Ref": "Description"
        },
        "Priority": {
          "Ref": "Priority"
        },
        "SecurityGroupId": {
          "Ref": "SecurityGroupId"
        },
        "DestGroupOwnerId": {
          "Ref": "DestGroupOwnerId"
        },
        "IpProtocol": {
          "Ref": "IpProtocol"
        },
        "DestCidrIp": {
          "Ref": "DestCidrIp"
        },
        "NicType": {
          "Ref": "NicType"
        },
        "Ipv6DestCidrIp": {
          "Ref": "Ipv6DestCidrIp"
        },
        "DestGroupId": {
          "Ref": "DestGroupId"
        }
      }
    }
  }
}

YAML格式

ROSTemplateFormatVersion: '2015-09-01'
Parameters:
  Policy:
    Type: String
    Description: >-
      Authorization policies, parameter values can be: accept (accepted access),
      drop (denied access). Default value is accept.
    AllowedValues:
      - accept
      - drop
  PortRange:
    Type: String
    Description: >-
      Ip protocol relative port range. For tcp and udp, the port rang is
      [1,65535], using format '1/200'For icmp|gre|all protocel, the port range
      should be '-1/-1'
  Description:
    Type: String
    Description: >-
      Description of the security group rule, [1, 512] characters. The default
      is empty.
    MinLength: 1
    MaxLength: 512
  Priority:
    Type: Number
    Description: 'Authorization policies priority range[1, 100]'
    MinValue: 1
    MaxValue: 100
    Default: 1
  SecurityGroupId:
    Type: String
    Description: Id of the security group.
  DestGroupOwnerId:
    Type: String
    Description: Dest Group Owner Account ID
  IpProtocol:
    Type: String
    Description: Ip protocol for in rule.
    AllowedValues:
      - tcp
      - udp
      - icmp
      - gre
      - all
  DestCidrIp:
    Type: String
    Description: Dest CIDR Ip Address range. Only IPV4 supported.
  NicType:
    Type: String
    Description: >-
      Network type, could be 'internet' or 'intranet'. Default value is
      internet.
    AllowedValues:
      - internet
      - intranet
  Ipv6DestCidrIp:
    Type: String
    Description: >-
      Destination IPv6 CIDR address segment. Supports IP address ranges in CIDR
      format and IPv6 format.

      Note Only VPC type IP addresses are supported.
  DestGroupId:
    Type: String
    Description: Dest Group Id
Resources:
  SecurityGroupEgress:
    Type: 'ALIYUN::ECS::SecurityGroupEgress'
    Properties:
      Policy:
        Ref: Policy
      PortRange:
        Ref: PortRange
      Description:
        Ref: Description
      Priority:
        Ref: Priority
      SecurityGroupId:
        Ref: SecurityGroupId
      DestGroupOwnerId:
        Ref: DestGroupOwnerId
      IpProtocol:
        Ref: IpProtocol
      DestCidrIp:
        Ref: DestCidrIp
      NicType:
        Ref: NicType
      Ipv6DestCidrIp:
        Ref: Ipv6DestCidrIp
      DestGroupId:
        Ref: DestGroupId