ALIYUN::ECS::SecurityGroupEgresses

ALIYUN::ECS::SecurityGroupEgresses类型用于给安全组批量绑定多条出方向的访问规则。

语法

{
  "Type": "ALIYUN::ECS::SecurityGroupEgresses",
  "Properties": {
    "SecurityGroupId": String,
    "Permissions": List
  }
}

属性

属性名称

类型

必须

允许更新

描述

约束

Permissions

List

设置安全组出方向访问规则列表属性。

最多支持添加100个规则属性。更多信息,请参见Permissions属性

SecurityGroupId

String

源端安全组ID。

Permissions语法

"Permissions": [
  {
    "Policy": String,
    "Description": String,
    "SourcePortRange": String,
    "Priority": Integer,
    "Ipv6SourceCidrIp": String,
    "NicType": String,
    "DestGroupId": String,
    "PortRange": String,
    "DestGroupOwnerAccount": String,
    "DestPrefixListId": String,
    "SourceCidrIp": String,
    "DestGroupOwnerId": String,
    "IpProtocol": String,
    "DestCidrIp": String,
    "Ipv6DestCidrIp": String
  }
]

Permissions属性

属性名称

类型

必须

允许更新

描述

约束

IpProtocol

String

传输层协议。

取值:

  • tcp

  • udp

  • icmp

  • gre

  • all:同时支持四种协议。

PortRange

String

目的端安全组开放的传输层协议相关的端口范围。

取值:

  • TCP/UDP协议:1~65535。使用正斜线(/)隔开起始端口和终止端口。正确示例:1/200;错误示例:200/1。

  • ICMP协议:-1/-1。

  • GRE协议:-1/-1。

  • all:-1/-1。

Description

String

安全组规则的描述信息。

长度为1~512个字符。

DestCidrIp

String

目的端IP地址范围。

支持IPv4格式的IP地址范围。

DestGroupId

String

需要设置访问权限的目的端安全组ID。

至少设置DestGroupId或者DestCidrIp其中一项。

如果指定DestGroupId,但未指定DestCidrIp,则NicType取值为intranet。

如果同时指定DestGroupId和DestCidrIp,则以DestCidrIp的设置为准。

DestGroupOwnerAccount

String

目的端安全组所属的阿里云账户邮箱。

示例:T***@example.com

DestGroupOwnerId

String

跨账户设置安全组规则时,目的端安全组所属的阿里云账号ID。

如果DestGroupOwnerId未设置,则认为是设置您其他安全组的访问权限。如果您已经设置DestCidrIp,则DestGroupOwnerId的设置无效。

DestPrefixListId

String

需要设置出方向访问权限的目的端前缀列表ID。

您可以调用DescribePrefixLists查询可用的前缀列表ID。

当安全组的网络类型为经典网络时,不支持设置前缀列表。更多信息,请参见安全组

当您指定了DestCidrIp、Ipv6DestCidrIp或DestGroupId参数中的任意一个时,将忽略该参数。

Ipv6DestCidrIp

String

目的端IPv6 CIDR地址段。

支持CIDR格式和IPv6格式的IP地址范围,且仅支持VPC类型的IP地址。

Ipv6SourceCidrIp

String

源端IPv6 CIDR地址段。

支持CIDR格式和IPv6格式的IP地址范围。仅支持VPC类型的IP地址。

NicType

String

网络类型。

取值:

  • internet(默认值):公网网卡。

  • intranet:内网网卡。

当设置安全组之间互相访问时,即指定DestGroupId但未指定DestCidrIp时,该参数取值为intranet。

Policy

String

设置访问权限。

取值:

  • accept(默认值):接受访问。

  • drop:拒绝访问。

Priority

Integer

安全组规则优先级。

取值范围:1~100。

默认值:1。

SourceCidrIp

String

源端IPv4地址范围。

仅支持IPv4格式的IP地址范围。

SourcePortRange

String

源端安全组开放的传输层协议相关的端口范围。

取值:

  • TCP/UDP协议:1~65535。使用正斜线(/)隔开起始端口和终止端口。正确示例:1/200;错误示例:200/1。

  • ICMP协议:-1/-1。

  • GRE协议:-1/-1。

  • all:-1/-1。

返回值

Fn::GetAtt

示例

YAML格式

ROSTemplateFormatVersion: '2015-09-01'
Parameters:
  SecurityGroupId:
    AssociationPropertyMetadata:
      VpcId: ${VpcId}
    AssociationProperty: ALIYUN::ECS::SecurityGroup::SecurityGroupId
    Type: String
    Description:
      en: Id of the security group.
    Required: true
  Permissions:
    AssociationPropertyMetadata:
      Parameters:
        Policy:
          Type: String
          Description:
            en: 'Authorization policies, parameter values can be: accept (accepted access), drop (denied access). Default value is accept.'
          AllowedValues:
            - accept
            - drop
          Required: false
        Description:
          AssociationProperty: TextArea
          Type: String
          Description:
            en: Description of the security group rule, [1, 512] characters. The default is empty.
          Required: false
          MinLength: 1
          MaxLength: 512
        SourcePortRange:
          Type: String
          Description:
            en: 'The range of the ports enabled by the source security group for the transport layer protocol. Valid values: TCP/UDP: Value range: 1 to 65535. The start port and the end port are separated by a slash (/). Correct example: 1/200. Incorrect example: 200/1.ICMP: -1/-1.GRE: -1/-1.ALL: -1/-1.'
          Required: false
        Priority:
          Type: Number
          Description:
            en: Authorization policies priority range[1, 100]
          Required: false
          MinValue: 1
          MaxValue: 100
          Default: 1
        Ipv6SourceCidrIp:
          Type: String
          Description:
            en: |-
              Source IPv6 CIDR address segment. Supports IP address ranges in CIDR format and IPv6 format.
              Note Only VPC type IP addresses are supported.
          Required: false
        NicType:
          Type: String
          Description:
            en: Network type, could be 'internet' or 'intranet'. Default value is internet.
          AllowedValues:
            - internet
            - intranet
          Required: false
        DestGroupId:
          Type: String
          Description:
            en: |-
              The destination security group ID to which access permissions need to be set.
              Set at least one of the DestGroupId, DestCidrIp, Ipv6DestCidrIp, or DestPrefixListId parameters.
              - If DestGroupId is specified without the DestCidrIp parameter, the NicType parameter can only take the value intranet.
              - If both DestGroupId and DestCidrIp are specified, DestCidrIp is assumed to prevail.
              You should pay attention to:
              - Enterprise Security groups do not support authorized security group access.
              - The maximum number of authorized security groups supported by ordinary security groups is 20.
          Required: false
        PortRange:
          Type: String
          Description:
            en: Ip protocol relative port range. For tcp and udp, the port rang is [1,65535], using format '1/200'For icmp|gre|all protocel, the port range should be '-1/-1'
          Required: true
        DestGroupOwnerAccount:
          Type: String
          Description:
            en: |-
              When setting security group rules across accounts, the Ali cloud account to which the destination security group belongs.
              - If neither DestGroupOwnerAccount nor DestGroupOwnerId is set, it is considered to set access permissions for your other security group.
              - If the parameter DestCidrIp has been set, the parameter DestGroupOwnerAccount is invalid.
          Required: false
        DestPrefixListId:
          Type: String
          Description:
            en: |-
              The ID of the destination prefix list to which you want to control access. You can call the DescribePrefixLists operation to query the IDs of available prefix lists.Take note of the following items:
              If a security group is in the classic network, you cannot configure prefix lists in the security group rules. For information about the limits on security groups and prefix lists, see the "Security group limits" in Limits.
              If you specify DestCidrIp, Ipv6DestCidrIp, or DestGroupId, DestPrefixListId is ignored.
          Required: false
        SourceCidrIp:
          Type: String
          Description:
            en: The source IPv4 CIDR block to which you want to control access. CIDR blocks and IPv4 addresses are supported.
          Required: false
        DestGroupOwnerId:
          Type: String
          Description:
            en: |-
              When setting security group rules across accounts, the Ali Cloud account ID of the destination security group.
              - If neither DestGroupOwnerId nor DestGroupOwnerAccount is set, it is considered to set the access rights of your other security group.
              - If you have set the parameter DestCidrIp, the parameter DestGroupOwnerId is invalid.
          Required: false
        IpProtocol:
          Type: String
          Description:
            en: Ip protocol for in rule.
          AllowedValues:
            - tcp
            - udp
            - icmp
            - gre
            - all
            - icmpv6
          Required: true
        DestCidrIp:
          Type: String
          Description:
            en: The destination IPv4 CIDR block to which you want to control access. CIDR blocks and IPv4 addresses are supported.
          Required: false
        Ipv6DestCidrIp:
          Type: String
          Description:
            en: Destination IPv6 CIDR address block for which access rights need to be set. CIDR format and IPv6 format IP address range are supported.
          Required: false
    AssociationProperty: List[Parameters]
    Type: Json
    Description:
      en: A list of security group rules. A hundred at most.
    Required: true
    MaxLength: 100
Resources:
  SecurityGroupEgresses:
    Type: ALIYUN::ECS::SecurityGroupEgresses
    Properties:
      SecurityGroupId:
        Ref: SecurityGroupId
      Permissions:
        Ref: Permissions

JSON格式

{
  "ROSTemplateFormatVersion": "2015-09-01",
  "Parameters": {
    "SecurityGroupId": {
      "AssociationPropertyMetadata": {
        "VpcId": "${VpcId}"
      },
      "AssociationProperty": "ALIYUN::ECS::SecurityGroup::SecurityGroupId",
      "Type": "String",
      "Description": {
        "en": "Id of the security group."
      },
      "Required": true
    },
    "Permissions": {
      "AssociationPropertyMetadata": {
        "Parameters": {
          "Policy": {
            "Type": "String",
            "Description": {
              "en": "Authorization policies, parameter values can be: accept (accepted access), drop (denied access). Default value is accept."
            },
            "AllowedValues": [
              "accept",
              "drop"
            ],
            "Required": false
          },
          "Description": {
            "AssociationProperty": "TextArea",
            "Type": "String",
            "Description": {
              "en": "Description of the security group rule, [1, 512] characters. The default is empty."
            },
            "Required": false,
            "MinLength": 1,
            "MaxLength": 512
          },
          "SourcePortRange": {
            "Type": "String",
            "Description": {
              "en": "The range of the ports enabled by the source security group for the transport layer protocol. Valid values: TCP/UDP: Value range: 1 to 65535. The start port and the end port are separated by a slash (/). Correct example: 1/200. Incorrect example: 200/1.ICMP: -1/-1.GRE: -1/-1.ALL: -1/-1."
            },
            "Required": false
          },
          "Priority": {
            "Type": "Number",
            "Description": {
              "en": "Authorization policies priority range[1, 100]"
            },
            "Required": false,
            "MinValue": 1,
            "MaxValue": 100,
            "Default": 1
          },
          "Ipv6SourceCidrIp": {
            "Type": "String",
            "Description": {
              "en": "Source IPv6 CIDR address segment. Supports IP address ranges in CIDR format and IPv6 format.\nNote Only VPC type IP addresses are supported."
            },
            "Required": false
          },
          "NicType": {
            "Type": "String",
            "Description": {
              "en": "Network type, could be 'internet' or 'intranet'. Default value is internet."
            },
            "AllowedValues": [
              "internet",
              "intranet"
            ],
            "Required": false
          },
          "DestGroupId": {
            "Type": "String",
            "Description": {
              "en": "The destination security group ID to which access permissions need to be set.\nSet at least one of the DestGroupId, DestCidrIp, Ipv6DestCidrIp, or DestPrefixListId parameters.\n- If DestGroupId is specified without the DestCidrIp parameter, the NicType parameter can only take the value intranet.\n- If both DestGroupId and DestCidrIp are specified, DestCidrIp is assumed to prevail.\nYou should pay attention to:\n- Enterprise Security groups do not support authorized security group access.\n- The maximum number of authorized security groups supported by ordinary security groups is 20."
            },
            "Required": false
          },
          "PortRange": {
            "Type": "String",
            "Description": {
              "en": "Ip protocol relative port range. For tcp and udp, the port rang is [1,65535], using format '1/200'For icmp|gre|all protocel, the port range should be '-1/-1'"
            },
            "Required": true
          },
          "DestGroupOwnerAccount": {
            "Type": "String",
            "Description": {
              "en": "When setting security group rules across accounts, the Ali cloud account to which the destination security group belongs.\n- If neither DestGroupOwnerAccount nor DestGroupOwnerId is set, it is considered to set access permissions for your other security group.\n- If the parameter DestCidrIp has been set, the parameter DestGroupOwnerAccount is invalid."
            },
            "Required": false
          },
          "DestPrefixListId": {
            "Type": "String",
            "Description": {
              "en": "The ID of the destination prefix list to which you want to control access. You can call the DescribePrefixLists operation to query the IDs of available prefix lists.Take note of the following items:\nIf a security group is in the classic network, you cannot configure prefix lists in the security group rules. For information about the limits on security groups and prefix lists, see the \"Security group limits\" in Limits.\nIf you specify DestCidrIp, Ipv6DestCidrIp, or DestGroupId, DestPrefixListId is ignored."
            },
            "Required": false
          },
          "SourceCidrIp": {
            "Type": "String",
            "Description": {
              "en": "The source IPv4 CIDR block to which you want to control access. CIDR blocks and IPv4 addresses are supported."
            },
            "Required": false
          },
          "DestGroupOwnerId": {
            "Type": "String",
            "Description": {
              "en": "When setting security group rules across accounts, the Ali Cloud account ID of the destination security group.\n- If neither DestGroupOwnerId nor DestGroupOwnerAccount is set, it is considered to set the access rights of your other security group.\n- If you have set the parameter DestCidrIp, the parameter DestGroupOwnerId is invalid."
            },
            "Required": false
          },
          "IpProtocol": {
            "Type": "String",
            "Description": {
              "en": "Ip protocol for in rule."
            },
            "AllowedValues": [
              "tcp",
              "udp",
              "icmp",
              "gre",
              "all",
              "icmpv6"
            ],
            "Required": true
          },
          "DestCidrIp": {
            "Type": "String",
            "Description": {
              "en": "The destination IPv4 CIDR block to which you want to control access. CIDR blocks and IPv4 addresses are supported."
            },
            "Required": false
          },
          "Ipv6DestCidrIp": {
            "Type": "String",
            "Description": {
              "en": "Destination IPv6 CIDR address block for which access rights need to be set. CIDR format and IPv6 format IP address range are supported."
            },
            "Required": false
          }
        }
      },
      "AssociationProperty": "List[Parameters]",
      "Type": "Json",
      "Description": {
        "en": "A list of security group rules. A hundred at most."
      },
      "Required": true,
      "MaxLength": 100
    }
  },
  "Resources": {
    "SecurityGroupEgresses": {
      "Type": "ALIYUN::ECS::SecurityGroupEgresses",
      "Properties": {
        "SecurityGroupId": {
          "Ref": "SecurityGroupId"
        },
        "Permissions": {
          "Ref": "Permissions"
        }
      }
    }
  }
}