AWS::NetworkFirewall::RuleGroup MatchAttributes

Criteria for Network Firewall to use to inspect an individual packet in stateless rule inspection. Each match attributes set can include one or more items such as IP address, CIDR range, port number, protocol, and TCP flags.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON


{
  "DestinationPorts" : [ PortRange, ... ],
  "Destinations" : [ Address, ... ],
  "Protocols" : [ Integer, ... ],
  "SourcePorts" : [ PortRange, ... ],
  "Sources" : [ Address, ... ],
  "TCPFlags" : [ TCPFlagField, ... ]
}

YAML


  DestinationPorts: 
    - PortRange
  Destinations: 
    - Address
  Protocols: 
    - Integer
  SourcePorts: 
    - PortRange
  Sources: 
    - Address
  TCPFlags: 
    - TCPFlagField

Properties

DestinationPorts

The destination ports to inspect for. If not specified, this matches with any destination port. This setting is only used for protocols 6 (TCP) and 17 (UDP).

You can specify individual ports, for example 1994 and you can specify port ranges, for example 1990:1994.

Required: No

Type: Array of PortRange

Update requires: No interruption

Destinations

The destination IP addresses and address ranges to inspect for, in CIDR notation. If not specified, this matches with any destination address.

Required: No

Type: Array of Address

Update requires: No interruption

Protocols

The protocols to inspect for, specified using each protocol's assigned internet protocol number (IANA). If not specified, this matches with any protocol.

Required: No

Type: Array of Integer

Update requires: No interruption

SourcePorts

The source ports to inspect for. If not specified, this matches with any source port. This setting is only used for protocols 6 (TCP) and 17 (UDP).

You can specify individual ports, for example 1994 and you can specify port ranges, for example 1990:1994.

Required: No

Type: Array of PortRange

Update requires: No interruption

Sources

The source IP addresses and address ranges to inspect for, in CIDR notation. If not specified, this matches with any source address.

Required: No

Type: Array of Address

Update requires: No interruption

TCPFlags

The TCP flags and masks to inspect for. If not specified, this matches with any settings. This setting is only used for protocol 6 (TCP).

Required: No

Type: Array of TCPFlagField

Update requires: No interruption

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

IPSetReference

PortRange