Adds an access control policy to Cloud Firewall.
Syntax
{
"Type": "ALIYUN::CLOUDFW::ControlPolicy",
"Properties": {
"ApplicationName": String,
"DestPortType": String,
"Direction": String,
"Destination": String,
"Description": String,
"Proto": String,
"AclAction": String,
"Source": String,
"SourceType": String,
"DestinationType": String,
"NewOrder": Integer,
"DestPort": String,
"RegionId": String,
"DestPortGroup": String,
"Release": Boolean,
"RepeatType": String,
"StartTime": Integer,
"RepeatEndTime": String,
"DomainResolveType": String,
"IpVersion": String,
"RepeatDays": List,
"EndTime": Integer,
"RepeatStartTime": String,
"ApplicationNameList": List
}
}
Properties
|
Property |
Type |
Required |
Editable |
Description |
Constraint |
|
AclAction |
String |
Yes |
Yes |
Action to perform on traffic. |
Valid values:
|
|
ApplicationName |
String |
No |
Yes |
Application type for the policy. |
Valid values:
|
|
Description |
String |
Yes |
Yes |
Policy description. |
None. |
|
Destination |
String |
Yes |
Yes |
Destination address. |
Valid values:
|
|
DestinationType |
String |
Yes |
Yes |
Destination address type. |
Valid values:
|
|
Direction |
String |
Yes |
No |
Traffic direction. |
Valid values:
|
|
NewOrder |
Integer |
Yes |
Yes |
Policy priority. |
Starts from 1. Lower value = higher priority. Important
1 = highest priority. -1 = lowest priority. |
|
Proto |
String |
Yes |
Yes |
Protocol type. |
Valid values:
|
|
Source |
String |
Yes |
Yes |
Source address. |
Valid values:
|
|
SourceType |
String |
Yes |
Yes |
Source address type. |
Valid values:
|
|
DestPort |
String |
No |
Yes |
Destination port. |
Required when DestPortType is set to port. |
|
DestPortGroup |
String |
No |
Yes |
Destination port address book name. |
Required when DestPortType is set to group. |
|
DestPortType |
String |
No |
Yes |
Destination port type. |
Valid values:
|
|
RegionId |
String |
No |
No |
Region ID. |
Valid values:
|
|
Release |
Boolean |
No |
No |
Whether to enable the policy. |
Enabled by default after creation. Valid values:
|
|
RepeatType |
String |
No |
No |
Policy recurrence type. |
Valid values:
|
|
StartTime |
Integer |
No |
No |
Start time of the policy validity period. |
A timestamp in seconds. Must be on the hour or half hour, and at least 30 minutes before EndTime. Note
If RepeatType is Permanent, StartTime is empty. For None, Daily, Weekly, or Monthly, StartTime must be specified. |
|
RepeatEndTime |
String |
No |
No |
End time of the policy recurrence. |
Example: 23:30. Must be on the hour or half hour, and at least 30 minutes after RepeatStartTime. Note
If RepeatType is Permanent or None, RepeatEndTime is empty. For Daily, Weekly, or Monthly, RepeatEndTime must be specified. |
|
DomainResolveType |
String |
No |
No |
Domain name resolution method. |
Valid values:
|
|
IpVersion |
String |
No |
No |
IP version of the Cloud Firewall-protected asset. |
Valid values:
|
|
RepeatDays |
List |
No |
No |
Days on which the policy takes effect. |
Note
RepeatDays values cannot be repeated if RepeatType is Weekly.
Note
RepeatDays values cannot be repeated if RepeatType is Monthly. |
|
EndTime |
Integer |
No |
No |
End time of the policy validity period. |
A timestamp in seconds. Must be on the hour or half hour, and at least 30 minutes after StartTime. Note
If RepeatType is Permanent, EndTime is empty. For None, Daily, Weekly, or Monthly, EndTime must be specified. |
|
RepeatStartTime |
String |
No |
No |
Start time of the policy recurrence. |
Example: 08:00. Must be on the hour or half hour, and at least 30 minutes before RepeatEndTime. Note
If RepeatType is Permanent or None, RepeatStartTime is empty. For Daily, Weekly, or Monthly, RepeatStartTime must be specified. |
|
ApplicationNameList |
List |
No |
No |
Application names. |
None. |
Location codes
Categories of location codes
|
Category |
Code |
|
Locations in China |
ZD |
|
Locations outside China |
ZB |
Codes of locations in China
|
Location |
Code |
|
Beijing |
BJ11 |
|
Tianjin |
TJ12 |
|
Hebei |
HB13 |
|
Shanxi |
SX14 |
|
Liaoning |
LN21 |
|
Jilin |
JL22 |
|
Shanghai |
SH31 |
|
Jiangsu |
JS32 |
|
Zhejiang |
ZJ33 |
|
Anhui |
AH34 |
|
Fujian |
FJ35 |
|
Jiangxi |
JX36 |
|
Shandong |
SD37 |
|
Henan |
HN41 |
|
Hubei |
HB42 |
|
Hunan |
HN43 |
|
Guangdong |
GD44 |
|
Hainan |
HN46 |
|
Chongqing |
CQ50 |
|
Sichuan |
SC51 |
|
Guizhou |
GZ52 |
|
Yunnan |
YN53 |
|
Shaanxi |
SX61 |
|
Gansu |
GS62 |
|
Qinghai |
QH63 |
|
Heilongjiang |
HLJ23 |
|
Xizang |
XZ54 |
|
Guangxi |
GX45 |
|
Inner Mongolia |
NMG15 |
|
Ningxia |
NX64 |
|
Xinjiang |
XJ65 |
|
Taiwan (China) |
TW |
|
Hong Kong (China) |
HK |
|
Macao (China) |
MO |
Codes of locations outside China
|
Location |
Code |
|
Asia (except China) |
ZC |
|
Europe |
EU |
|
Africa |
AF |
|
North America |
NA |
|
South America |
LA |
|
Oceania |
OA |
|
Antarctica |
AQ |
Return values
Fn::GetAtt
AclUuid: unique ID of the access control policy.
Examples
YAML format
ROSTemplateFormatVersion: '2015-09-01'
Resources:
ControlPolicy:
Type: ALIYUN::CLOUDFW::ControlPolicy
Properties:
ApplicationName:
Ref: ApplicationName
DestPortType:
Ref: DestPortType
Direction:
Ref: Direction
AclAction:
Ref: AclAction
Description:
Ref: Description
Proto:
Ref: Proto
Destination:
Ref: Destination
Source:
Ref: Source
DestinationType:
Ref: DestinationType
NewOrder:
Ref: NewOrder
DestPortGroup:
Ref: DestPortGroup
DestPort:
Ref: DestPort
RegionId:
Ref: RegionId
SourceType:
Ref: SourceType
Parameters:
ApplicationName:
Type: String
Description: 'Application types supported by the security policy. The following
types of applications are supported: ANY, HTTP, HTTPS, MySQL, SMTP, SMTPS, RDP,
VNC, SSH, Redis, MQTT, MongoDB, Memcache, SSL. NOTE ANY indicates that the policy
is applied to all types of applications.'
AllowedValues:
- ANY
- HTTP
- HTTPS
- MQTT
- Memcache
- MongoDB
- MySQL
- RDP
- Redis
- SMTP
- SMTPS
- SSH
- SSL
- VNC
DestPortType:
Type: String
Description: 'Security access control policy access destination port traffic type.
port: Port group: port address book'
AllowedValues:
- group
- port
Direction:
Type: String
Description: 'Security access control traffic direction policies. in: internal
and external traffic access control. out: within the flow of external access
control'
AllowedValues:
- in
- out
AclAction:
Type: String
Description: 'Traffic access control policy set by the cloud of a firewall. accept:
Release. drop: rejected. log: Observation'
AllowedValues:
- accept
- drop
- log
Description:
MinLength: 1
Type: String
Description: Security access control policy description information.
Proto:
Type: String
Description: 'The type of security protocol for traffic access in the security
access control policy. Can be set to ANY when you are not sure of the specific
protocol type. Allowed values: ANY, TCP, UDP, ICMP'
AllowedValues:
- ANY
- ICMP
- TCP
- UDP
Destination:
MinLength: 1
Type: String
Description: 'Security Access Control destination address policy. When DestinationType
is net, Destination purpose CIDR. For example: 192.168.XX.XX/24. When DestinationType
as a group, Destination for the purpose of the address book name. For example:
db_group. When DestinationType for the domain, Destination for the purpose of
a domain name. For example:. * example.com. When DestinationType as location,
Destination area for the purpose (see below position encoding specific regions).
For example: [ "BJ11", "ZB"]'
Source:
MinLength: 1
Type: String
Description: 'Security access control source address policy. When SourceType for
the net, Source is the source CIDR. For example: 192.168.XX.XX/24. When SourceType
as a group, Source name for the source address book. For example: db_group.
When SourceType as location, Source source region (specific region position
encoder see below). For example, [ "BJ11", "ZB"]'
DestinationType:
Type: String
Description: 'Security Access Control destination address type of policy. net:
Destination network segment (CIDR). group: destination address book. domain:
The purpose domain. location: The purpose area'
AllowedValues:
- domain
- group
- location
- net
NewOrder:
Type: Number
Description: Security access control priority policy in force. Priority number
increments sequentially from 1, lower the priority number, the higher the priority.
Description -1 indicates the lowest priority.
MinValue: -1
DestPortGroup:
Type: String
Description: Security access control policy access traffic destination port address
book name. Description DestPortType is group, set the item.
DestPort:
Type: String
Description: Security access control policy access traffic destination port. Note
When DestPortType to port, set the item.
RegionId:
Default: cn-hangzhou
Type: String
Description: Region ID. Default to cn-hangzhou.
AllowedValues:
- cn-hangzhou
- ap-southeast-1
SourceType:
Type: String
Description: 'Security access control source address type of policy. net: Source
segment (CIDR). group: source address book. location: the source area'
AllowedValues:
- group
- location
- net
Outputs:
AclUuid:
Description: Security access control ID that uniquely identifies the policy.
Value:
Fn::GetAtt:
- ControlPolicy
- AclUuid
JSON format
{
"ROSTemplateFormatVersion": "2015-09-01",
"Resources": {
"ControlPolicy": {
"Type": "ALIYUN::CLOUDFW::ControlPolicy",
"Properties": {
"ApplicationName": {
"Ref": "ApplicationName"
},
"DestPortType": {
"Ref": "DestPortType"
},
"Direction": {
"Ref": "Direction"
},
"AclAction": {
"Ref": "AclAction"
},
"Description": {
"Ref": "Description"
},
"Proto": {
"Ref": "Proto"
},
"Destination": {
"Ref": "Destination"
},
"Source": {
"Ref": "Source"
},
"DestinationType": {
"Ref": "DestinationType"
},
"NewOrder": {
"Ref": "NewOrder"
},
"DestPortGroup": {
"Ref": "DestPortGroup"
},
"DestPort": {
"Ref": "DestPort"
},
"RegionId": {
"Ref": "RegionId"
},
"SourceType": {
"Ref": "SourceType"
}
}
}
},
"Parameters": {
"ApplicationName": {
"Type": "String",
"Description": "Application types supported by the security policy. The following types of applications are supported: ANY, HTTP, HTTPS, MySQL, SMTP, SMTPS, RDP, VNC, SSH, Redis, MQTT, MongoDB, Memcache, SSL. NOTE ANY indicates that the policy is applied to all types of applications.",
"AllowedValues": [
"ANY",
"HTTP",
"HTTPS",
"MQTT",
"Memcache",
"MongoDB",
"MySQL",
"RDP",
"Redis",
"SMTP",
"SMTPS",
"SSH",
"SSL",
"VNC"
]
},
"DestPortType": {
"Type": "String",
"Description": "Security access control policy access destination port traffic type. port: Port group: port address book",
"AllowedValues": [
"group",
"port"
]
},
"Direction": {
"Type": "String",
"Description": "Security access control traffic direction policies. in: internal and external traffic access control. out: within the flow of external access control",
"AllowedValues": [
"in",
"out"
]
},
"AclAction": {
"Type": "String",
"Description": "Traffic access control policy set by the cloud of a firewall. accept: Release. drop: rejected. log: Observation",
"AllowedValues": [
"accept",
"drop",
"log"
]
},
"Description": {
"MinLength": 1,
"Type": "String",
"Description": "Security access control policy description information."
},
"Proto": {
"Type": "String",
"Description": "The type of security protocol for traffic access in the security access control policy. Can be set to ANY when you are not sure of the specific protocol type. Allowed values: ANY, TCP, UDP, ICMP",
"AllowedValues": [
"ANY",
"ICMP",
"TCP",
"UDP"
]
},
"Destination": {
"MinLength": 1,
"Type": "String",
"Description": "Security Access Control destination address policy. When DestinationType is net, Destination purpose CIDR. For example: 192.168.XX.XX/24. When DestinationType as a group, Destination for the purpose of the address book name. For example: db_group. When DestinationType for the domain, Destination for the purpose of a domain name. For example:. * example.com. When DestinationType as location, Destination area for the purpose (see below position encoding specific regions). For example: [ \"BJ11\", \"ZB\"]"
},
"Source": {
"MinLength": 1,
"Type": "String",
"Description": "Security access control source address policy. When SourceType for the net, Source is the source CIDR. For example: 192.168.XX.XX/24. When SourceType as a group, Source name for the source address book. For example: db_group. When SourceType as location, Source source region (specific region position encoder see below). For example, [ \"BJ11\", \"ZB\"]"
},
"DestinationType": {
"Type": "String",
"Description": "Security Access Control destination address type of policy. net: Destination network segment (CIDR). group: destination address book. domain: The purpose domain. location: The purpose area",
"AllowedValues": [
"domain",
"group",
"location",
"net"
]
},
"NewOrder": {
"Type": "Number",
"Description": "Security access control priority policy in force. Priority number increments sequentially from 1, lower the priority number, the higher the priority. Description -1 indicates the lowest priority.",
"MinValue": -1
},
"DestPortGroup": {
"Type": "String",
"Description": "Security access control policy access traffic destination port address book name. Description DestPortType is group, set the item."
},
"DestPort": {
"Type": "String",
"Description": "Security access control policy access traffic destination port. Note When DestPortType to port, set the item."
},
"RegionId": {
"Default": "cn-hangzhou",
"Type": "String",
"Description": "Region ID. Default to cn-hangzhou.",
"AllowedValues": [
"cn-hangzhou",
"ap-southeast-1"
]
},
"SourceType": {
"Type": "String",
"Description": "Security access control source address type of policy. net: Source segment (CIDR). group: source address book. location: the source area",
"AllowedValues": [
"group",
"location",
"net"
]
}
},
"Outputs": {
"AclUuid": {
"Description": "Security access control ID that uniquely identifies the policy.",
"Value": {
"Fn::GetAtt": [
"ControlPolicy",
"AclUuid"
]
}
}
}
}