ALIYUN::ENS::NetworkAcl

ALIYUN::ENS::NetworkAcl类型用于创建一条网络ACL规则。

语法

{
  "Type": "ALIYUN::ENS::NetworkAcl",
  "Properties": {
    "AclEntries": List,
    "Description": String,
    "NetworkAclName": String
  }
}

属性

属性名称

类型

必须

允许更新

描述

约束

AclEntries

List

ACL规则列表。

最多支持配置40个ACL规则,更多信息,请参见AclEntries属性

Description

String

网络ACL的描述信息。

长度为1~256个字符,不能以http://https://开头。

NetworkAclName

String

网络ACL的名称。

长度为1~128个字符,不能以http://https://开头。

AclEntries语法

"AclEntries": [
  {
    "Policy": String,
    "PortRange": String,
    "Description": String,
    "Priority": Integer,
    "CidrBlock": String,
    "Protocol": String,
    "NetworkAclEntryName": String,
    "Direction": String
  }
]

AclEntries属性

属性名称

类型

必须

允许更新

描述

约束

CidrBlock

String

源地址网段。

Direction

String

规则方向。

取值:

  • ingress:入方向。

  • egress:出方向。

Policy

String

授权策略。

取值:

  • accept:允许。

  • drop:拒绝。

PortRange

String

端口范围。

  • 当规则的Protocol(协议类型)为allicmp时,端口范围为-1/-1,表示不限制端口。

  • 当规则的Protocol(协议类型)为tcpudp时,端口范围为1~65535,格式为1/20080/80,表示端口1到端口200或端口80。

Priority

Integer

规则优先级。

取值范围:1~100。默认值:1

Protocol

String

协议类型。

取值:

  • icmp:网络控制报文协议。

  • tcp:传输控制协议。

  • udp:用户数据报协议。

  • all:支持所有协议。

Description

String

网络ACL的描述信息。

长度为1~256个字符,不能以http://https://开头。

NetworkAclEntryName

String

规则条目的名称。

长度为1~128个字符,不能以http://https://开头。

返回值

Fn::GetAtt

NetworkAclId:关联资源的网络ACL的ID。

示例

YAML格式

ROSTemplateFormatVersion: '2015-09-01'
Parameters:
  AclEntries:
    AssociationPropertyMetadata:
      Parameters:
        Policy:
          Type: String
          Description:
            en: |-
              The action that is performed on network traffic that matches the rule. Valid values: 
              accept: allows network traffic.
              drop: blocks network traffic.
          AllowedValues:
            - accept
            - drop
          Required: true
        PortRange:
          Type: String
          Description:
            en: The port range.If you set Protocol to all or icmp, set this parameter to -1/-1, which specifies all ports.If you set Protocol to tcp or udp, the port can be 1 to 65535. You can set this parameter to 1/200 or 80/80, which specifies ports 1 to 200 or port 80.
          Required: true
        Description:
          AssociationProperty: TextArea
          Type: String
          Description:
            en: The description of the network ACL. The description must be 1 to 256 characters in length and cannot start with http:// or https://.
          Required: false
        Priority:
          Type: Number
          Description:
            en: 'The priority of the rule. Valid values: 1 to 100. Default value: 1.'
          Required: true
          MinValue: 1
          MaxValue: 100
        CidrBlock:
          Type: String
          Description:
            en: The source CIDR block.
          Required: true
        NetworkAclEntryName:
          Type: String
          Description:
            en: The name of the rule. The name must be 1 to 128 characters in length and cannot start with http:// or https://.
          Required: false
        Protocol:
          Type: String
          Description:
            en: |-
              The protocol. Valid values: icmp: ICMP
              tcp: TCP
              udp: UDP
              all: all protocols
          AllowedValues:
            - icmp
            - tcp
            - udp
            - all
          Required: true
        Direction:
          Type: String
          Description:
            en: |-
              Specifies whether the ACL rule controls inbound or outbound access requests. Valid values: 
              ingress
              egress
          AllowedValues:
            - ingress
            - egress
          Required: true
    AssociationProperty: List[Parameters]
    Type: Json
    Description:
      en: The entry of Network ACL.
    Required: false
    MaxLength: 40
  NetworkAclName:
    Type: String
    Description:
      en: |-
        Enter a name for the network ACL.
        The name must be 1 to 128 characters in length and cannot start with http:// or https://.
    Required: false
Resources:
  NetworkAcl:
    Type: ALIYUN::ENS::NetworkAcl
    Properties:
      AclEntries:
        Ref: AclEntries
      NetworkAclName:
        Ref: NetworkAclName
Outputs:
  NetworkAclId:
    Description: The ID of the network ACL.
    Value:
      Fn::GetAtt:
        - NetworkAcl
        - NetworkAclId

JSON格式

{
  "ROSTemplateFormatVersion": "2015-09-01",
  "Parameters": {
    "AclEntries": {
      "AssociationPropertyMetadata": {
        "Parameters": {
          "Policy": {
            "Type": "String",
            "Description": {
              "en": "The action that is performed on network traffic that matches the rule. Valid values: \naccept: allows network traffic.\ndrop: blocks network traffic."
            },
            "AllowedValues": [
              "accept",
              "drop"
            ],
            "Required": true
          },
          "PortRange": {
            "Type": "String",
            "Description": {
              "en": "The port range.If you set Protocol to all or icmp, set this parameter to -1/-1, which specifies all ports.If you set Protocol to tcp or udp, the port can be 1 to 65535. You can set this parameter to 1/200 or 80/80, which specifies ports 1 to 200 or port 80."
            },
            "Required": true
          },
          "Description": {
            "AssociationProperty": "TextArea",
            "Type": "String",
            "Description": {
              "en": "The description of the network ACL. The description must be 1 to 256 characters in length and cannot start with http:// or https://."
            },
            "Required": false
          },
          "Priority": {
            "Type": "Number",
            "Description": {
              "en": "The priority of the rule. Valid values: 1 to 100. Default value: 1."
            },
            "Required": true,
            "MinValue": 1,
            "MaxValue": 100
          },
          "CidrBlock": {
            "Type": "String",
            "Description": {
              "en": "The source CIDR block."
            },
            "Required": true
          },
          "NetworkAclEntryName": {
            "Type": "String",
            "Description": {
              "en": "The name of the rule. The name must be 1 to 128 characters in length and cannot start with http:// or https://."
            },
            "Required": false
          },
          "Protocol": {
            "Type": "String",
            "Description": {
              "en": "The protocol. Valid values: icmp: ICMP\ntcp: TCP\nudp: UDP\nall: all protocols"
            },
            "AllowedValues": [
              "icmp",
              "tcp",
              "udp",
              "all"
            ],
            "Required": true
          },
          "Direction": {
            "Type": "String",
            "Description": {
              "en": "Specifies whether the ACL rule controls inbound or outbound access requests. Valid values: \ningress\negress"
            },
            "AllowedValues": [
              "ingress",
              "egress"
            ],
            "Required": true
          }
        }
      },
      "AssociationProperty": "List[Parameters]",
      "Type": "Json",
      "Description": {
        "en": "The entry of Network ACL."
      },
      "Required": false,
      "MaxLength": 40
    },
    "NetworkAclName": {
      "Type": "String",
      "Description": {
        "en": "Enter a name for the network ACL.\nThe name must be 1 to 128 characters in length and cannot start with http:// or https://."
      },
      "Required": false
    }
  },
  "Resources": {
    "NetworkAcl": {
      "Type": "ALIYUN::ENS::NetworkAcl",
      "Properties": {
        "AclEntries": {
          "Ref": "AclEntries"
        },
        "NetworkAclName": {
          "Ref": "NetworkAclName"
        }
      }
    }
  },
  "Outputs": {
    "NetworkAclId": {
      "Description": "The ID of the network ACL.",
      "Value": {
        "Fn::GetAtt": [
          "NetworkAcl",
          "NetworkAclId"
        ]
      }
    }
  }
}