ALIYUN::CLOUDFW::ControlPolicy

更新时间:
复制 MD 格式

Adds an access control policy to Cloud Firewall.

Syntax

{
  "Type": "ALIYUN::CLOUDFW::ControlPolicy",
  "Properties": {
    "ApplicationName": String,
    "DestPortType": String,
    "Direction": String,
    "Destination": String,
    "Description": String,
    "Proto": String,
    "AclAction": String,
    "Source": String,
    "SourceType": String,
    "DestinationType": String,
    "NewOrder": Integer,
    "DestPort": String,
    "RegionId": String,
    "DestPortGroup": String,
    "Release": Boolean,
    "RepeatType": String,
    "StartTime": Integer,
    "RepeatEndTime": String,
    "DomainResolveType": String,
    "IpVersion": String,
    "RepeatDays": List,
    "EndTime": Integer,
    "RepeatStartTime": String,
    "ApplicationNameList": List
  }
}

Properties

Property

Type

Required

Editable

Description

Constraint

AclAction

String

Yes

Yes

Action to perform on traffic.

Valid values:

  • accept: allows traffic.

  • drop: denies traffic.

  • log: monitors traffic.

ApplicationName

String

No

Yes

Application type for the policy.

Valid values:

  • ANY

    Note

    Applies to all application types.

  • HTTP

  • HTTPS

  • MySQL

  • SMTP

  • SMTPS

  • RDP

  • VNC

  • SSH

  • Redis

  • MQTT

  • MongoDB

  • Memcache

  • SSL

Description

String

Yes

Yes

Policy description.

None.

Destination

String

Yes

Yes

Destination address.

Valid values:

  • If you set DestinationType to net, the value of Destination is a destination CIDR block. Example: 10.10.XX.XX/24.

  • If you set DestinationType to group, the value of Destination is a destination address book name. Example: db_group.

  • If you set DestinationType to domain, the value of Destination is a destination domain name. Example: *.example.com.

  • If you set DestinationType to location, the value of Destination is a destination location code. Examples: "BJ11" and "ZB".

    For more information about the location codes supported by Destination, see Location codes.

DestinationType

String

Yes

Yes

Destination address type.

Valid values:

  • net: destination CIDR block

  • group: destination address book

  • domain: destination domain name

  • location: destination location

Direction

String

Yes

No

Traffic direction.

Valid values:

  • in: inbound direction

  • out: outbound direction

NewOrder

Integer

Yes

Yes

Policy priority.

Starts from 1. Lower value = higher priority.

Important

1 = highest priority. -1 = lowest priority.

Proto

String

Yes

Yes

Protocol type.

Valid values:

  • ANY

    Note

    Use ANY if the protocol type is unknown.

  • TCP

  • UDP

  • ICMP

Source

String

Yes

Yes

Source address.

Valid values:

  • If you set SourceType to net, the value of Source is a source CIDR block. Example: 10.10.XX.XX/24.

  • If you set SourceType to group, the value of Source is a source address book name. Example: db_group.

  • If you set SourceType to location, the value of Source is a source location code. Examples: "BJ11" and "ZB".

    For more information about the location codes supported by Source, see Location codes.

SourceType

String

Yes

Yes

Source address type.

Valid values:

  • net: source CIDR block

  • group: source address book

  • location: source location

DestPort

String

No

Yes

Destination port.

Required when DestPortType is set to port.

DestPortGroup

String

No

Yes

Destination port address book name.

Required when DestPortType is set to group.

DestPortType

String

No

Yes

Destination port type.

Valid values:

  • port: port

  • group: port address book

RegionId

String

No

No

Region ID.

Valid values:

  • cn-hangzhou (default)

  • ap-southeast-1

Release

Boolean

No

No

Whether to enable the policy.

Enabled by default after creation. Valid values:

  • true

  • false

RepeatType

String

No

No

Policy recurrence type.

Valid values:

  • Permanent (default): The policy is always in effect.

  • None: The policy takes effect for only once.

  • Daily: The policy takes effect on a daily basis.

  • Weekly: The policy takes effect on a weekly basis.

  • Monthly: The policy takes effect on a monthly basis.

StartTime

Integer

No

No

Start time of the policy validity period.

A timestamp in seconds. Must be on the hour or half hour, and at least 30 minutes before EndTime.

Note

If RepeatType is Permanent, StartTime is empty. For None, Daily, Weekly, or Monthly, StartTime must be specified.

RepeatEndTime

String

No

No

End time of the policy recurrence.

Example: 23:30. Must be on the hour or half hour, and at least 30 minutes after RepeatStartTime.

Note

If RepeatType is Permanent or None, RepeatEndTime is empty. For Daily, Weekly, or Monthly, RepeatEndTime must be specified.

DomainResolveType

String

No

No

Domain name resolution method.

Valid values:

  • 0: fully qualified domain name (FQDN)-based resolution

  • 1: Domain Name System (DNS)-based dynamic resolution

  • 2: FQDN-based resolution and DNS-based dynamic resolution

IpVersion

String

No

No

IP version of the Cloud Firewall-protected asset.

Valid values:

  • 4 (default): IPv4

  • 6: IPv6

RepeatDays

List

No

No

Days on which the policy takes effect.

  • If RepeatType is set to Permanent, None, or Daily, the value of RepeatDays is an empty list. Example: [].

  • If RepeatType is set to Weekly, RepeatDays must be specified. Example: [0, 6].

Note

RepeatDays values cannot be repeated if RepeatType is Weekly.

  • If RepeatType is set to Monthly, RepeatDays must be specified. Example: [1, 31].

Note

RepeatDays values cannot be repeated if RepeatType is Monthly.

EndTime

Integer

No

No

End time of the policy validity period.

A timestamp in seconds. Must be on the hour or half hour, and at least 30 minutes after StartTime.

Note

If RepeatType is Permanent, EndTime is empty. For None, Daily, Weekly, or Monthly, EndTime must be specified.

RepeatStartTime

String

No

No

Start time of the policy recurrence.

Example: 08:00. Must be on the hour or half hour, and at least 30 minutes before RepeatEndTime.

Note

If RepeatType is Permanent or None, RepeatStartTime is empty. For Daily, Weekly, or Monthly, RepeatStartTime must be specified.

ApplicationNameList

List

No

No

Application names.

None.

Location codes

Categories of location codes

Category

Code

Locations in China

ZD

Locations outside China

ZB

Codes of locations in China

Location

Code

Beijing

BJ11

Tianjin

TJ12

Hebei

HB13

Shanxi

SX14

Liaoning

LN21

Jilin

JL22

Shanghai

SH31

Jiangsu

JS32

Zhejiang

ZJ33

Anhui

AH34

Fujian

FJ35

Jiangxi

JX36

Shandong

SD37

Henan

HN41

Hubei

HB42

Hunan

HN43

Guangdong

GD44

Hainan

HN46

Chongqing

CQ50

Sichuan

SC51

Guizhou

GZ52

Yunnan

YN53

Shaanxi

SX61

Gansu

GS62

Qinghai

QH63

Heilongjiang

HLJ23

Xizang

XZ54

Guangxi

GX45

Inner Mongolia

NMG15

Ningxia

NX64

Xinjiang

XJ65

Taiwan (China)

TW

Hong Kong (China)

HK

Macao (China)

MO

Codes of locations outside China

Location

Code

Asia (except China)

ZC

Europe

EU

Africa

AF

North America

NA

South America

LA

Oceania

OA

Antarctica

AQ

Return values

Fn::GetAtt

AclUuid: unique ID of the access control policy.

Examples

YAML format

ROSTemplateFormatVersion: '2015-09-01'
Resources:
  ControlPolicy:
    Type: ALIYUN::CLOUDFW::ControlPolicy
    Properties:
      ApplicationName:
        Ref: ApplicationName
      DestPortType:
        Ref: DestPortType
      Direction:
        Ref: Direction
      AclAction:
        Ref: AclAction
      Description:
        Ref: Description
      Proto:
        Ref: Proto
      Destination:
        Ref: Destination
      Source:
        Ref: Source
      DestinationType:
        Ref: DestinationType
      NewOrder:
        Ref: NewOrder
      DestPortGroup:
        Ref: DestPortGroup
      DestPort:
        Ref: DestPort
      RegionId:
        Ref: RegionId
      SourceType:
        Ref: SourceType
Parameters:
  ApplicationName:
    Type: String
    Description: 'Application types supported by the security policy. The following
      types of applications are supported: ANY, HTTP, HTTPS, MySQL, SMTP, SMTPS, RDP,
      VNC, SSH, Redis, MQTT, MongoDB, Memcache, SSL. NOTE ANY indicates that the policy
      is applied to all types of applications.'
    AllowedValues:
    - ANY
    - HTTP
    - HTTPS
    - MQTT
    - Memcache
    - MongoDB
    - MySQL
    - RDP
    - Redis
    - SMTP
    - SMTPS
    - SSH
    - SSL
    - VNC
  DestPortType:
    Type: String
    Description: 'Security access control policy access destination port traffic type.
      port: Port group: port address book'
    AllowedValues:
    - group
    - port
  Direction:
    Type: String
    Description: 'Security access control traffic direction policies. in: internal
      and external traffic access control. out: within the flow of external access
      control'
    AllowedValues:
    - in
    - out
  AclAction:
    Type: String
    Description: 'Traffic access control policy set by the cloud of a firewall. accept:
      Release. drop: rejected. log: Observation'
    AllowedValues:
    - accept
    - drop
    - log
  Description:
    MinLength: 1
    Type: String
    Description: Security access control policy description information.
  Proto:
    Type: String
    Description: 'The type of security protocol for traffic access in the security
      access control policy. Can be set to ANY when you are not sure of the specific
      protocol type. Allowed values: ANY, TCP, UDP, ICMP'
    AllowedValues:
    - ANY
    - ICMP
    - TCP
    - UDP
  Destination:
    MinLength: 1
    Type: String
    Description: 'Security Access Control destination address policy. When DestinationType
      is net, Destination purpose CIDR. For example: 192.168.XX.XX/24. When DestinationType
      as a group, Destination for the purpose of the address book name. For example:
      db_group. When DestinationType for the domain, Destination for the purpose of
      a domain name. For example:. * example.com. When DestinationType as location,
      Destination area for the purpose (see below position encoding specific regions).
      For example: [ "BJ11", "ZB"]'
  Source:
    MinLength: 1
    Type: String
    Description: 'Security access control source address policy. When SourceType for
      the net, Source is the source CIDR. For example: 192.168.XX.XX/24. When SourceType
      as a group, Source name for the source address book. For example: db_group.
      When SourceType as location, Source source region (specific region position
      encoder see below). For example, [ "BJ11", "ZB"]'
  DestinationType:
    Type: String
    Description: 'Security Access Control destination address type of policy. net:
      Destination network segment (CIDR). group: destination address book. domain:
      The purpose domain. location: The purpose area'
    AllowedValues:
    - domain
    - group
    - location
    - net
  NewOrder:
    Type: Number
    Description: Security access control priority policy in force. Priority number
      increments sequentially from 1, lower the priority number, the higher the priority.
      Description -1 indicates the lowest priority.
    MinValue: -1
  DestPortGroup:
    Type: String
    Description: Security access control policy access traffic destination port address
      book name. Description DestPortType is group, set the item.
  DestPort:
    Type: String
    Description: Security access control policy access traffic destination port. Note
      When DestPortType to port, set the item.
  RegionId:
    Default: cn-hangzhou
    Type: String
    Description: Region ID. Default to cn-hangzhou.
    AllowedValues:
    - cn-hangzhou
    - ap-southeast-1
  SourceType:
    Type: String
    Description: 'Security access control source address type of policy. net: Source
      segment (CIDR). group: source address book. location: the source area'
    AllowedValues:
    - group
    - location
    - net
Outputs:
  AclUuid:
    Description: Security access control ID that uniquely identifies the policy.
    Value:
      Fn::GetAtt:
      - ControlPolicy
      - AclUuid

JSON format

{
  "ROSTemplateFormatVersion": "2015-09-01",
  "Resources": {
    "ControlPolicy": {
      "Type": "ALIYUN::CLOUDFW::ControlPolicy",
      "Properties": {
        "ApplicationName": {
          "Ref": "ApplicationName"
        },
        "DestPortType": {
          "Ref": "DestPortType"
        },
        "Direction": {
          "Ref": "Direction"
        },
        "AclAction": {
          "Ref": "AclAction"
        },
        "Description": {
          "Ref": "Description"
        },
        "Proto": {
          "Ref": "Proto"
        },
        "Destination": {
          "Ref": "Destination"
        },
        "Source": {
          "Ref": "Source"
        },
        "DestinationType": {
          "Ref": "DestinationType"
        },
        "NewOrder": {
          "Ref": "NewOrder"
        },
        "DestPortGroup": {
          "Ref": "DestPortGroup"
        },
        "DestPort": {
          "Ref": "DestPort"
        },
        "RegionId": {
          "Ref": "RegionId"
        },
        "SourceType": {
          "Ref": "SourceType"
        }
      }
    }
  },
  "Parameters": {
    "ApplicationName": {
      "Type": "String",
      "Description": "Application types supported by the security policy. The following types of applications are supported: ANY, HTTP, HTTPS, MySQL, SMTP, SMTPS, RDP, VNC, SSH, Redis, MQTT, MongoDB, Memcache, SSL. NOTE ANY indicates that the policy is applied to all types of applications.",
      "AllowedValues": [
        "ANY",
        "HTTP",
        "HTTPS",
        "MQTT",
        "Memcache",
        "MongoDB",
        "MySQL",
        "RDP",
        "Redis",
        "SMTP",
        "SMTPS",
        "SSH",
        "SSL",
        "VNC"
      ]
    },
    "DestPortType": {
      "Type": "String",
      "Description": "Security access control policy access destination port traffic type. port: Port group: port address book",
      "AllowedValues": [
        "group",
        "port"
      ]
    },
    "Direction": {
      "Type": "String",
      "Description": "Security access control traffic direction policies. in: internal and external traffic access control. out: within the flow of external access control",
      "AllowedValues": [
        "in",
        "out"
      ]
    },
    "AclAction": {
      "Type": "String",
      "Description": "Traffic access control policy set by the cloud of a firewall. accept: Release. drop: rejected. log: Observation",
      "AllowedValues": [
        "accept",
        "drop",
        "log"
      ]
    },
    "Description": {
      "MinLength": 1,
      "Type": "String",
      "Description": "Security access control policy description information."
    },
    "Proto": {
      "Type": "String",
      "Description": "The type of security protocol for traffic access in the security access control policy. Can be set to ANY when you are not sure of the specific protocol type. Allowed values: ANY, TCP, UDP, ICMP",
      "AllowedValues": [
        "ANY",
        "ICMP",
        "TCP",
        "UDP"
      ]
    },
    "Destination": {
      "MinLength": 1,
      "Type": "String",
      "Description": "Security Access Control destination address policy. When DestinationType is net, Destination purpose CIDR. For example: 192.168.XX.XX/24. When DestinationType as a group, Destination for the purpose of the address book name. For example: db_group. When DestinationType for the domain, Destination for the purpose of a domain name. For example:. * example.com. When DestinationType as location, Destination area for the purpose (see below position encoding specific regions). For example: [ \"BJ11\", \"ZB\"]"
    },
    "Source": {
      "MinLength": 1,
      "Type": "String",
      "Description": "Security access control source address policy. When SourceType for the net, Source is the source CIDR. For example: 192.168.XX.XX/24. When SourceType as a group, Source name for the source address book. For example: db_group. When SourceType as location, Source source region (specific region position encoder see below). For example, [ \"BJ11\", \"ZB\"]"
    },
    "DestinationType": {
      "Type": "String",
      "Description": "Security Access Control destination address type of policy. net: Destination network segment (CIDR). group: destination address book. domain: The purpose domain. location: The purpose area",
      "AllowedValues": [
        "domain",
        "group",
        "location",
        "net"
      ]
    },
    "NewOrder": {
      "Type": "Number",
      "Description": "Security access control priority policy in force. Priority number increments sequentially from 1, lower the priority number, the higher the priority. Description -1 indicates the lowest priority.",
      "MinValue": -1
    },
    "DestPortGroup": {
      "Type": "String",
      "Description": "Security access control policy access traffic destination port address book name. Description DestPortType is group, set the item."
    },
    "DestPort": {
      "Type": "String",
      "Description": "Security access control policy access traffic destination port. Note When DestPortType to port, set the item."
    },
    "RegionId": {
      "Default": "cn-hangzhou",
      "Type": "String",
      "Description": "Region ID. Default to cn-hangzhou.",
      "AllowedValues": [
        "cn-hangzhou",
        "ap-southeast-1"
      ]
    },
    "SourceType": {
      "Type": "String",
      "Description": "Security access control source address type of policy. net: Source segment (CIDR). group: source address book. location: the source area",
      "AllowedValues": [
        "group",
        "location",
        "net"
      ]
    }
  },
  "Outputs": {
    "AclUuid": {
      "Description": "Security access control ID that uniquely identifies the policy.",
      "Value": {
        "Fn::GetAtt": [
          "ControlPolicy",
          "AclUuid"
        ]
      }
    }
  }
}