ALIYUN::CLOUDFW::VpcFirewallCen类型用于创建VPC边界防火墙(防护云企业网内的网络实例和指定VPC之间的互访流量)。
语法
{
"Type": "ALIYUN::CLOUDFW::VpcFirewallCen",
"Properties": {
"CenId": String,
"FirewallVpcZoneId": String,
"FirewallSwitch": String,
"NetworkInstanceId": String,
"VpcRegion": String,
"VpcFirewallName": String,
"FirewallVSwitchCidrBlock": String,
"FirewallVpcCidrBlock": String,
"MemberUid": String,
"VSwitchId": String
}
}属性
属性名称 | 类型 | 必须 | 允许更新 | 描述 | 约束 |
CenId | String | 是 | 否 | 云企业网实例 ID。 | 无 |
FirewallVpcZoneId | String | 是 | 否 | 防火墙交换机所属的可用区 ID。 | 如果您的业务延时敏感,您可以自定义防火墙交换机可用区和业务 VPC 交换机可用区相同,以便降低延时。 如果不填此参数,则默认自动分配交换机可用区。 说明 参数仅本 CEN 本地域首次创建 VPC 防火墙时有效。关于各地域可用区的详细信息,请参见DescribeZones。 |
FirewallSwitch | String | 是 | 是 | 设置 VPC 边界防火墙的开关状态。 | 取值:
|
NetworkInstanceId | String | 是 | 否 | 创建 VPC 边界防火墙的 VPC 实例 ID。 | 无 |
VpcRegion | String | 是 | 否 | 创建 VPC 边界防火墙的 VPC 所属地域 ID。 | 说明 关于云防火墙支持地域的详细信息,请参见支持的地域。 |
VpcFirewallName | String | 是 | 是 | VPC 边界防火墙的实例名称。 | 无 |
FirewallVSwitchCidrBlock | String | 否 | 否 | 防火墙所使用 vSwitch 网段。 | 需配置子网掩码不大于 29 位且不与网络规划冲突的网段来分配给创建防火墙过程所需 vSwitch 网段,用以自动创建防火墙安全 VPC 内的交换机(Cloud_Firewall_VSWITCH)进行流量引流处理。交换机网段必须是防火墙 VPC 网段的子网。 如果不填此参数,则默认自动分配网段 10.219.219.216/29。 说明 参数仅本 CEN 本地域首次创建 VPC 防火墙时有效。 |
FirewallVpcCidrBlock | String | 否 | 否 | 防火墙所使用 VPC 网段。 | 需配置子网掩码不大于 28 位网段来分配给创建防火墙过程所需 VPC 网段,用以自动创建防火墙安全 VPC(Cloud_Firewall_VPC)进行流量引流处理。 如果不填此参数,则默认自动分配网段 10.0.0.0/8。 说明 参数仅在CEN地域首次创建VPC防火墙时有效。 |
MemberUid | String | 否 | 否 | 当前阿里云账号的成员账号 UID。 | 无 |
VSwitchId | String | 否 | 否 | 指定云防火墙接口所属的 VSwitch ID。 | 无 |
返回值
Fn::GetAtt
VpcFirewallId:VPC 边界防火墙的实例 ID。
示例
ROSTemplateFormatVersion: '2015-09-01'
Parameters:
NetworkInstanceId:
Type: String
Description:
en: The ID of the VPC for which you want to create the VPC firewall.
Required: true
AssociationProperty: ALIYUN::ECS::VPC::VPCId
VSwitchId:
AssociationPropertyMetadata:
VpcId: ${NetworkInstanceId}
AssociationProperty: ALIYUN::VPC::VSwitch::VSwitchId
Type: String
Description:
en: The ID of the vSwitch that is used to associate with the elastic network interface (ENI) required by the VPC firewall.
Required: false
CenId:
Type: String
Description:
en: The ID of the CEN instance.
AssociationProperty: ALIYUN::CEN::Instance::CenId
Required: true
VpcFirewallName:
Type: String
Description:
en: The instance name of the VPC firewall.
Required: true
FirewallSwitch:
Type: String
Description:
en: |-
Specifies whether to enable the VPC firewall. Valid values:
open: After you create the VPC firewall, the VPC firewall is automatically enabled. This is the default value.
close: After you create the VPC firewall, the VPC firewall is disabled. You can call the ModifyVpcFirewallCenSwitchStatus operation to manually enable the VPC firewall.
AllowedValues:
- open
- close
Required: true
Default: open
Resources:
ExtensionResource:
Type: ALIYUN::CLOUDFW::VpcFirewallCen
Properties:
NetworkInstanceId:
Ref: NetworkInstanceId
VSwitchId:
Ref: VSwitchId
CenId:
Ref: CenId
VpcRegion:
Ref: ALIYUN::Region
FirewallVpcZoneId:
Fn::Select:
- '0'
- Fn::GetAZs:
Ref: ALIYUN::Region
VpcFirewallName:
Ref: VpcFirewallName
FirewallSwitch:
Ref: FirewallSwitch
Outputs:
VpcFirewallId:
Description: The instance ID of the VPC firewall.
Value:
Fn::GetAtt:
- ExtensionResource
- VpcFirewallId
{
"ROSTemplateFormatVersion": "2015-09-01",
"Parameters": {
"NetworkInstanceId": {
"Type": "String",
"Description": {
"en": "The ID of the VPC for which you want to create the VPC firewall."
},
"Required": true,
"AssociationProperty": "ALIYUN::ECS::VPC::VPCId"
},
"VSwitchId": {
"AssociationPropertyMetadata": {
"VpcId": "${NetworkInstanceId}"
},
"AssociationProperty": "ALIYUN::VPC::VSwitch::VSwitchId",
"Type": "String",
"Description": {
"en": "The ID of the vSwitch that is used to associate with the elastic network interface (ENI) required by the VPC firewall."
},
"Required": false
},
"CenId": {
"Type": "String",
"Description": {
"en": "The ID of the CEN instance."
},
"AssociationProperty": "ALIYUN::CEN::Instance::CenId",
"Required": true
},
"VpcFirewallName": {
"Type": "String",
"Description": {
"en": "The instance name of the VPC firewall."
},
"Required": true
},
"FirewallSwitch": {
"Type": "String",
"Description": {
"en": "Specifies whether to enable the VPC firewall. Valid values:\nopen: After you create the VPC firewall, the VPC firewall is automatically enabled. This is the default value.\nclose: After you create the VPC firewall, the VPC firewall is disabled. You can call the ModifyVpcFirewallCenSwitchStatus operation to manually enable the VPC firewall."
},
"AllowedValues": [
"open",
"close"
],
"Required": true,
"Default": "open"
}
},
"Resources": {
"ExtensionResource": {
"Type": "ALIYUN::CLOUDFW::VpcFirewallCen",
"Properties": {
"NetworkInstanceId": {
"Ref": "NetworkInstanceId"
},
"VSwitchId": {
"Ref": "VSwitchId"
},
"CenId": {
"Ref": "CenId"
},
"VpcRegion": {
"Ref": "ALIYUN::Region"
},
"FirewallVpcZoneId": {
"Fn::Select": [
"0",
{
"Fn::GetAZs": {
"Ref": "ALIYUN::Region"
}
}
]
},
"VpcFirewallName": {
"Ref": "VpcFirewallName"
},
"FirewallSwitch": {
"Ref": "FirewallSwitch"
}
}
}
},
"Outputs": {
"VpcFirewallId": {
"Description": "The instance ID of the VPC firewall.",
"Value": {
"Fn::GetAtt": [
"ExtensionResource",
"VpcFirewallId"
]
}
}
}
}