ALIYUN::ENS::SecurityGroup

ALIYUN::ENS::SecurityGroup类型用于新建一个安全组。

语法

{
  "Type": "ALIYUN::ENS::SecurityGroup",
  "Properties": {
    "Description": String,
    "SecurityGroupName": String,
    "SecurityGroupIngress": List,
    "SecurityGroupEgress": List
  }
}

属性

属性名称

类型

必须

允许更新

描述

约束

Description

String

描述信息。

长度为2~256个字符,必须以字母或中文开头,但不能以http://https://开头。

SecurityGroupEgress

List

安全组出方向的规则属性列表。

更多信息,请参考SecurityGroupEgress属性

SecurityGroupIngress

List

安全组入方向的规则属性列表。

更多信息,请参考SecurityGroupIngress属性

SecurityGroupName

String

安全组名称。

长度为2~128个英文或中文字符。必须以大小写字母或中文开头,不能以http://https://开头。可以包含数字、半角冒号(:)、下划线(_)或者连字符(-)。 默认值:空。

SecurityGroupIngress语法

"SecurityGroupIngress": [
  {
    "Policy": String,
    "PortRange": String,
    "SourcePortRange": String,
    "Priority": Integer,
    "SourceCidrIp": String,
    "IpProtocol": String
  }
]

SecurityGroupIngress属性

属性名称

类型

必须

允许更新

描述

约束

IpProtocol

String

传输层协议。

取值大小写敏感。取值范围:

  • tcp

  • udp

  • icmp

  • gre

  • all:支持所有协议。

PortRange

String

安全组开放的传输层协议相关的端口范围。

取值范围:

  • TCP/UDP协议:取值范围为1~65535。使用斜线(/)隔开起始端口和终止端口。正确示范:1/200;错误示范:200/1

  • ICMP协议:-1/-1

  • GRE协议:-1/-1

  • IpProtocol取值为 all:-1/-1

Policy

String

设置访问权限。

取值范围:

  • accept(默认值):接受访问。

  • drop:拒绝访问,不返回拒绝信息。

Priority

Integer

安全组规则优先级。

取值范围:1~100

默认值:1

SourceCidrIp

String

源端IP地址范围。

支持CIDR格式和IPv4格式的IP地址范围。

SourcePortRange

String

源端安全组开放的传输层协议相关的端口范围。

取值范围:

  • TCP/UDP协议:取值范围为1~65535。使用斜线(/)隔开起始端口和终止端口。正确示范:1/200;错误示范:200/1

  • ICMP协议:-1/-1

  • GRE协议:-1/-1

  • IpProtocol取值为 all:-1/-1

SecurityGroupEgress语法

"SecurityGroupEgress": [
  {
    "Policy": String,
    "PortRange": String,
    "SourcePortRange": String,
    "Priority": Integer,
    "IpProtocol": String,
    "DestCidrIp": String
  }
]

SecurityGroupEgress属性

属性名称

类型

必须

允许更新

描述

约束

IpProtocol

String

传输层协议。

取值大小写敏感。取值范围:

  • tcp:TCP协议。

  • udp:UDP协议。

  • icmp:ICMP协议。

  • gre:GRE协议。

  • all:支持所有协议。

PortRange

String

安全组开放的传输层协议相关的端口范围。

取值范围:

  • TCP/UDP 协议:取值范围为1~65535。使用斜线(/)隔开起始端口和终止端口。正确示范:1/200;错误示范:200/1

  • ICMP 协议:-1/-1

  • GRE 协议:-1/-1

  • IpProtocol取值为 all:-1/-1

DestCidrIp

String

目的端IP地址范围。

支持CIDR格式和IPv4格式的IP地址范围。

Policy

String

设置访问权限。

取值范围:

  • accept(默认值):接受访问。

  • drop:拒绝访问,不返回拒绝信息。

Priority

Integer

安全组规则优先级。

取值范围:1~100,默认值为1

SourcePortRange

String

源端安全组开放的传输层协议相关的端口范围。

取值范围:

  • TCP/UDP协议:取值范围为1~65535。使用斜线(/)隔开起始端口和终止端口。正确示范:1/200;错误示范:200/1

  • ICMP协议:-1/-1

  • GRE协议:-1/-1

  • IpProtocol取值为 all:-1/-1

返回值

Fn::GetAtt

SecurityGroupId:安全组ID。

示例

YAML格式

ROSTemplateFormatVersion: '2015-09-01'
Parameters:
  SecurityGroupName:
    Type: String
    Description:
      en: The name of the security group. The name must be 2 to 128 characters in length. The name must start with a letter and cannot start with http:// or https://. It can contain letters, digits, colons (:), underscores (_), and hyphens (-). By default, this parameter is empty.
    Required: false
  SecurityGroupIngress:
    AssociationPropertyMetadata:
      Parameters:
        Policy:
          Type: String
          Description:
            en: 'Authorization policies, parameter values can be: accept (accepted access), drop (denied access). Default value is accept.'
          AllowedValues:
            - accept
            - drop
          Required: false
        PortRange:
          Type: String
          Description:
            en: Ip protocol relative port range. For tcp and udp, the port rang is [1,65535], using format '1/200'For icmp|gre|all protocel, the port range should be '-1/-1'
          Required: true
        SourcePortRange:
          Type: String
          Description:
            en: 'The range of the ports enabled by the source security group for the transport layer protocol. Valid values: TCP/UDP: Value range: 1 to 65535. The start port and the end port are separated by a slash (/). Correct example: 1/200. Incorrect example: 200/1.ICMP: -1/-1.GRE: -1/-1.ALL: -1/-1.'
          Required: false
        Priority:
          Type: Number
          Description:
            en: Authorization policies priority range[1, 100]
          Required: false
          MinValue: 1
          MaxValue: 100
          Default: 1
        SourceCidrIp:
          Type: String
          Description:
            en: Source CIDR Ip Address range.
          Required: false
        IpProtocol:
          Type: String
          Description:
            en: Ip protocol for in rule.
          AllowedValues:
            - tcp
            - udp
            - icmp
            - gre
            - all
          Required: true
    AssociationProperty: List[Parameters]
    Type: Json
    Description:
      en: Ingress rules for the security group.
    Required: false
  SecurityGroupEgress:
    AssociationPropertyMetadata:
      Parameters:
        Policy:
          Type: String
          Description:
            en: 'Authorization policies, parameter values can be: accept (accepted access), drop (denied access). Default value is accept.'
          AllowedValues:
            - accept
            - drop
          Required: false
        PortRange:
          Type: String
          Description:
            en: Ip protocol relative port range. For tcp and udp, the port rang is [1,65535], using format '1/200'For icmp|gre|all protocel, the port range should be '-1/-1'
          Required: true
        SourcePortRange:
          Type: String
          Description:
            en: 'The range of the ports enabled by the source security group for the transport layer protocol. Valid values: TCP/UDP: Value range: 1 to 65535. The start port and the end port are separated by a slash (/). Correct example: 1/200. Incorrect example: 200/1.ICMP: -1/-1.GRE: -1/-1.ALL: -1/-1.'
          Required: false
        Priority:
          Type: Number
          Description:
            en: Authorization policies priority range[1, 100]
          Required: false
          MinValue: 1
          MaxValue: 100
          Default: 1
        IpProtocol:
          Type: String
          Description:
            en: Ip protocol for in rule.
          AllowedValues:
            - tcp
            - udp
            - icmp
            - gre
            - all
          Required: true
        DestCidrIp:
          Type: String
          Description:
            en: Dest CIDR Ip Address range.
          Required: false
    AssociationProperty: List[Parameters]
    Type: Json
    Description:
      en: egress rules for the security group.
    Required: false
Resources:
  SecurityGroup:
    Type: ALIYUN::ENS::SecurityGroup
    Properties:
      SecurityGroupName:
        Ref: SecurityGroupName
      SecurityGroupIngress:
        Ref: SecurityGroupIngress
      SecurityGroupEgress:
        Ref: SecurityGroupEgress
Outputs:
  SecurityGroupId:
    Description: The ID of the security group.
    Value:
      Fn::GetAtt:
        - SecurityGroup
        - SecurityGroupId

JSON格式

{
  "ROSTemplateFormatVersion": "2015-09-01",
  "Parameters": {
    "SecurityGroupName": {
      "Type": "String",
      "Description": {
        "en": "The name of the security group. The name must be 2 to 128 characters in length. The name must start with a letter and cannot start with http:// or https://. It can contain letters, digits, colons (:), underscores (_), and hyphens (-). By default, this parameter is empty."
      },
      "Required": false
    },
    "SecurityGroupIngress": {
      "AssociationPropertyMetadata": {
        "Parameters": {
          "Policy": {
            "Type": "String",
            "Description": {
              "en": "Authorization policies, parameter values can be: accept (accepted access), drop (denied access). Default value is accept."
            },
            "AllowedValues": [
              "accept",
              "drop"
            ],
            "Required": false
          },
          "PortRange": {
            "Type": "String",
            "Description": {
              "en": "Ip protocol relative port range. For tcp and udp, the port rang is [1,65535], using format '1/200'For icmp|gre|all protocel, the port range should be '-1/-1'"
            },
            "Required": true
          },
          "SourcePortRange": {
            "Type": "String",
            "Description": {
              "en": "The range of the ports enabled by the source security group for the transport layer protocol. Valid values: TCP/UDP: Value range: 1 to 65535. The start port and the end port are separated by a slash (/). Correct example: 1/200. Incorrect example: 200/1.ICMP: -1/-1.GRE: -1/-1.ALL: -1/-1."
            },
            "Required": false
          },
          "Priority": {
            "Type": "Number",
            "Description": {
              "en": "Authorization policies priority range[1, 100]"
            },
            "Required": false,
            "MinValue": 1,
            "MaxValue": 100,
            "Default": 1
          },
          "SourceCidrIp": {
            "Type": "String",
            "Description": {
              "en": "Source CIDR Ip Address range."
            },
            "Required": false
          },
          "IpProtocol": {
            "Type": "String",
            "Description": {
              "en": "Ip protocol for in rule."
            },
            "AllowedValues": [
              "tcp",
              "udp",
              "icmp",
              "gre",
              "all"
            ],
            "Required": true
          }
        }
      },
      "AssociationProperty": "List[Parameters]",
      "Type": "Json",
      "Description": {
        "en": "Ingress rules for the security group."
      },
      "Required": false
    },
    "SecurityGroupEgress": {
      "AssociationPropertyMetadata": {
        "Parameters": {
          "Policy": {
            "Type": "String",
            "Description": {
              "en": "Authorization policies, parameter values can be: accept (accepted access), drop (denied access). Default value is accept."
            },
            "AllowedValues": [
              "accept",
              "drop"
            ],
            "Required": false
          },
          "PortRange": {
            "Type": "String",
            "Description": {
              "en": "Ip protocol relative port range. For tcp and udp, the port rang is [1,65535], using format '1/200'For icmp|gre|all protocel, the port range should be '-1/-1'"
            },
            "Required": true
          },
          "SourcePortRange": {
            "Type": "String",
            "Description": {
              "en": "The range of the ports enabled by the source security group for the transport layer protocol. Valid values: TCP/UDP: Value range: 1 to 65535. The start port and the end port are separated by a slash (/). Correct example: 1/200. Incorrect example: 200/1.ICMP: -1/-1.GRE: -1/-1.ALL: -1/-1."
            },
            "Required": false
          },
          "Priority": {
            "Type": "Number",
            "Description": {
              "en": "Authorization policies priority range[1, 100]"
            },
            "Required": false,
            "MinValue": 1,
            "MaxValue": 100,
            "Default": 1
          },
          "IpProtocol": {
            "Type": "String",
            "Description": {
              "en": "Ip protocol for in rule."
            },
            "AllowedValues": [
              "tcp",
              "udp",
              "icmp",
              "gre",
              "all"
            ],
            "Required": true
          },
          "DestCidrIp": {
            "Type": "String",
            "Description": {
              "en": "Dest CIDR Ip Address range."
            },
            "Required": false
          }
        }
      },
      "AssociationProperty": "List[Parameters]",
      "Type": "Json",
      "Description": {
        "en": "egress rules for the security group."
      },
      "Required": false
    }
  },
  "Resources": {
    "SecurityGroup": {
      "Type": "ALIYUN::ENS::SecurityGroup",
      "Properties": {
        "SecurityGroupName": {
          "Ref": "SecurityGroupName"
        },
        "SecurityGroupIngress": {
          "Ref": "SecurityGroupIngress"
        },
        "SecurityGroupEgress": {
          "Ref": "SecurityGroupEgress"
        }
      }
    }
  },
  "Outputs": {
    "SecurityGroupId": {
      "Description": "The ID of the security group.",
      "Value": {
        "Fn::GetAtt": [
          "SecurityGroup",
          "SecurityGroupId"
        ]
      }
    }
  }
}