ALIYUN::ECS::SecurityGroupIngresses
更新時間:
ALIYUN::ECS::SecurityGroupIngresses類型用于給安全組批量綁定多條入方向的訪問規(guī)則。
語法
{
"Type": "ALIYUN::ECS::SecurityGroupIngresses",
"Properties": {
"SecurityGroupId": String,
"Permissions": List
}
}屬性
屬性名稱 | 類型 | 必須 | 允許更新 | 描述 | 約束 |
Permissions | List | 是 | 是 | 設置安全組入方向訪問規(guī)則列表屬性。 | 最多支持添加100個規(guī)則屬性。更多信息,請參見Permissions屬性。 |
SecurityGroupId | String | 是 | 否 | 源端安全組ID。 | 無 |
Permissions語法
"Permissions": [
{
"Policy": String,
"SourceGroupId": String,
"Description": String,
"SourcePortRange": String,
"Priority": Integer,
"SourceGroupOwnerId": String,
"Ipv6SourceCidrIp": String,
"NicType": String,
"PortRange": String,
"SourceCidrIp": String,
"IpProtocol": String,
"DestCidrIp": String,
"SourceGroupOwnerAccount": String,
"Ipv6DestCidrIp": String,
"SourcePrefixListId": String
}
]Permissions屬性
屬性名稱 | 類型 | 必須 | 允許更新 | 描述 | 約束 |
IpProtocol | String | 是 | 否 | IP協(xié)議。 | 取值:
|
PortRange | String | 是 | 否 | 目的端安全組開放的傳輸層協(xié)議相關(guān)的端口范圍。 | 取值:
|
Description | String | 否 | 否 | 安全組規(guī)則的描述信息。 | 長度為1~512個字符。 |
DestCidrIp | String | 否 | 否 | 目的端IP地址范圍。 | 支持IPv4格式的IP地址范圍。 |
Ipv6DestCidrIp | String | 否 | 否 | 目的端IPv6 CIDR地址段。 | 支持CIDR格式和IPv6格式的IP地址范圍,且僅支持VPC類型的IP地址。 |
Ipv6SourceCidrIp | String | 否 | 否 | 源端IPv6 CIDR地址段。 | 支持CIDR格式和IPv6格式的IP地址范圍。僅支持VPC類型的IP地址。 |
NicType | String | 否 | 否 | 網(wǎng)絡類型。 | 取值:
當設置安全組之間互相訪問時,即指定DestGroupId但未指定DestCidrIp時,該參數(shù)取值為intranet。 |
Policy | String | 否 | 否 | 訪問權(quán)限。 | 取值:
|
Priority | Integer | 否 | 否 | 安全組規(guī)則優(yōu)先級。 | 取值范圍:1~100。 默認值:1。 |
SourceCidrIp | String | 否 | 否 | 源端IPv4 CIDR地址段。 | 僅支持IPv4格式的IP地址范圍。 |
SourceGroupId | String | 否 | 否 | 需要設置訪問權(quán)限的源端安全組ID。 | 至少設置SourceGroupId或者SourceCidrIp其中一項。 如果指定SourceGroupId,但未指定SourceCidrIp,則參數(shù)NicType取值為intranet。 如果同時指定SourceGroupId和SourceCidrIp,則默認以SourceCidrIp的設置為準。 |
SourceGroupOwnerAccount | String | 否 | 否 | 源端安全組所屬的阿里云賬戶郵箱。 | 示例:T***@example.com |
SourceGroupOwnerId | String | 否 | 否 | 跨賬戶設置安全組規(guī)則時,源端安全組所屬的阿里云賬戶ID。 | 如果SourceGroupOwnerId未設置,則默認設置您其他安全組的訪問權(quán)限。 如果已經(jīng)設置SourceCidrIp,則SourceGroupOwnerId的設置無效。 |
SourcePortRange | String | 否 | 否 | 源端安全組開放的傳輸層協(xié)議相關(guān)的端口范圍。 | 取值:
|
SourcePrefixListId | String | 否 | 否 | 需要設置入方向訪問權(quán)限的源端前綴列表ID。 | 您可以調(diào)用DescribePrefixLists查詢可以使用的前綴列表ID。 安全組的網(wǎng)絡類型為經(jīng)典網(wǎng)絡時,不支持設置前綴列表。更多信息,請參見安全組。 當您指定了SourceCidrIp、Ipv6SourceCidrIp與SourceGroupId參數(shù)中的任意一個時,將忽略該參數(shù)。 |
返回值
Fn::GetAtt
無
示例
YAML格式
ROSTemplateFormatVersion: '2015-09-01'
Parameters:
SecurityGroupId:
AssociationPropertyMetadata:
VpcId: ${VpcId}
AssociationProperty: ALIYUN::ECS::SecurityGroup::SecurityGroupId
Type: String
Description:
en: Id of the security group.
Required: true
Permissions:
AssociationPropertyMetadata:
Parameters:
Policy:
Type: String
Description:
en: 'Authorization policies, parameter values can be: accept (accepted access), drop (denied access). Default value is accept.'
AllowedValues:
- accept
- drop
Required: false
SourceGroupId:
Type: String
Description:
en: Source Group Id
Required: false
Description:
AssociationProperty: TextArea
Type: String
Description:
en: Description of the security group rule, [1, 512] characters. The default is empty.
Required: false
MinLength: 1
MaxLength: 512
SourcePortRange:
Type: String
Description:
en: 'The range of the ports enabled by the source security group for the transport layer protocol. Valid values: TCP/UDP: Value range: 1 to 65535. The start port and the end port are separated by a slash (/). Correct example: 1/200. Incorrect example: 200/1.ICMP: -1/-1.GRE: -1/-1.ALL: -1/-1.'
Required: false
Priority:
Type: Number
Description:
en: Authorization policies priority range[1, 100]
Required: false
MinValue: 1
MaxValue: 100
Default: 1
SourceGroupOwnerId:
Type: String
Description:
en: Source Group Owner Account ID
Required: false
Ipv6SourceCidrIp:
Type: String
Description:
en: |-
Source IPv6 CIDR address segment. Supports IP address ranges in CIDR format and IPv6 format.
Note Only VPC type IP addresses are supported.
Required: false
NicType:
Type: String
Description:
en: Network type, could be 'internet' or 'intranet'. Default value is internet.
AllowedValues:
- internet
- intranet
Required: false
PortRange:
Type: String
Description:
en: Ip protocol relative port range. For tcp and udp, the port rang is [1,65535], using format '1/200'For icmp|gre|all protocel, the port range should be '-1/-1'
Required: true
SourceCidrIp:
Type: String
Description:
en: The source IPv4 CIDR block to which you want to control access. CIDR blocks and IPv4 addresses are supported.
Required: false
IpProtocol:
Type: String
Description:
en: Ip protocol for in rule.
AllowedValues:
- tcp
- udp
- icmp
- gre
- all
- icmpv6
Required: true
DestCidrIp:
Type: String
Description:
en: The destination IPv4 CIDR block to which you want to control access. CIDR blocks and IPv4 addresses are supported.
Required: false
SourceGroupOwnerAccount:
Type: String
Description:
en: Source Group Owner Account
Required: false
Ipv6DestCidrIp:
Type: String
Description:
en: Destination IPv6 CIDR address block for which access rights need to be set. CIDR format and IPv6 format IP address range are supported.
Required: false
SourcePrefixListId:
Type: String
Description:
en: |-
The ID of the source prefix list to which you want to control access. You can call the DescribePrefixLists operation to query the IDs of available prefix lists. Take note of the following items:
- If a security group is in the classic network, you cannot configure prefix lists in the security group rules.
- If you specify the SourceCidrIp, Ipv6SourceCidrIp, or SourceGroupId parameter, this parameter is ignored.
Required: false
AssociationProperty: List[Parameters]
Type: Json
Description:
en: A list of security group rules. A hundred at most.
Required: true
MaxLength: 100
Resources:
SecurityGroupIngresses:
Type: ALIYUN::ECS::SecurityGroupIngresses
Properties:
SecurityGroupId:
Ref: SecurityGroupId
Permissions:
Ref: Permissions
JSON格式
{
"ROSTemplateFormatVersion": "2015-09-01",
"Parameters": {
"SecurityGroupId": {
"AssociationPropertyMetadata": {
"VpcId": "${VpcId}"
},
"AssociationProperty": "ALIYUN::ECS::SecurityGroup::SecurityGroupId",
"Type": "String",
"Description": {
"en": "Id of the security group."
},
"Required": true
},
"Permissions": {
"AssociationPropertyMetadata": {
"Parameters": {
"Policy": {
"Type": "String",
"Description": {
"en": "Authorization policies, parameter values can be: accept (accepted access), drop (denied access). Default value is accept."
},
"AllowedValues": [
"accept",
"drop"
],
"Required": false
},
"SourceGroupId": {
"Type": "String",
"Description": {
"en": "Source Group Id"
},
"Required": false
},
"Description": {
"AssociationProperty": "TextArea",
"Type": "String",
"Description": {
"en": "Description of the security group rule, [1, 512] characters. The default is empty."
},
"Required": false,
"MinLength": 1,
"MaxLength": 512
},
"SourcePortRange": {
"Type": "String",
"Description": {
"en": "The range of the ports enabled by the source security group for the transport layer protocol. Valid values: TCP/UDP: Value range: 1 to 65535. The start port and the end port are separated by a slash (/). Correct example: 1/200. Incorrect example: 200/1.ICMP: -1/-1.GRE: -1/-1.ALL: -1/-1."
},
"Required": false
},
"Priority": {
"Type": "Number",
"Description": {
"en": "Authorization policies priority range[1, 100]"
},
"Required": false,
"MinValue": 1,
"MaxValue": 100,
"Default": 1
},
"SourceGroupOwnerId": {
"Type": "String",
"Description": {
"en": "Source Group Owner Account ID"
},
"Required": false
},
"Ipv6SourceCidrIp": {
"Type": "String",
"Description": {
"en": "Source IPv6 CIDR address segment. Supports IP address ranges in CIDR format and IPv6 format.\nNote Only VPC type IP addresses are supported."
},
"Required": false
},
"NicType": {
"Type": "String",
"Description": {
"en": "Network type, could be 'internet' or 'intranet'. Default value is internet."
},
"AllowedValues": [
"internet",
"intranet"
],
"Required": false
},
"PortRange": {
"Type": "String",
"Description": {
"en": "Ip protocol relative port range. For tcp and udp, the port rang is [1,65535], using format '1/200'For icmp|gre|all protocel, the port range should be '-1/-1'"
},
"Required": true
},
"SourceCidrIp": {
"Type": "String",
"Description": {
"en": "The source IPv4 CIDR block to which you want to control access. CIDR blocks and IPv4 addresses are supported."
},
"Required": false
},
"IpProtocol": {
"Type": "String",
"Description": {
"en": "Ip protocol for in rule."
},
"AllowedValues": [
"tcp",
"udp",
"icmp",
"gre",
"all",
"icmpv6"
],
"Required": true
},
"DestCidrIp": {
"Type": "String",
"Description": {
"en": "The destination IPv4 CIDR block to which you want to control access. CIDR blocks and IPv4 addresses are supported."
},
"Required": false
},
"SourceGroupOwnerAccount": {
"Type": "String",
"Description": {
"en": "Source Group Owner Account"
},
"Required": false
},
"Ipv6DestCidrIp": {
"Type": "String",
"Description": {
"en": "Destination IPv6 CIDR address block for which access rights need to be set. CIDR format and IPv6 format IP address range are supported."
},
"Required": false
},
"SourcePrefixListId": {
"Type": "String",
"Description": {
"en": "The ID of the source prefix list to which you want to control access. You can call the DescribePrefixLists operation to query the IDs of available prefix lists. Take note of the following items:\n- If a security group is in the classic network, you cannot configure prefix lists in the security group rules.\n- If you specify the SourceCidrIp, Ipv6SourceCidrIp, or SourceGroupId parameter, this parameter is ignored."
},
"Required": false
}
}
},
"AssociationProperty": "List[Parameters]",
"Type": "Json",
"Description": {
"en": "A list of security group rules. A hundred at most."
},
"Required": true,
"MaxLength": 100
}
},
"Resources": {
"SecurityGroupIngresses": {
"Type": "ALIYUN::ECS::SecurityGroupIngresses",
"Properties": {
"SecurityGroupId": {
"Ref": "SecurityGroupId"
},
"Permissions": {
"Ref": "Permissions"
}
}
}
}
}
文檔內(nèi)容是否對您有幫助?