AWS CloudFormation
User Guide (API Version 2010-05-15)
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.Did this page help you?  Yes | No |  Tell us about it...

AWS::EC2::SecurityGroupEgress

The AWS::EC2::SecurityGroupEgress type adds an egress rule to an Amazon VPC security group.

This type supports updates. For more information about updating stacks, see AWS CloudFormation Stacks Updates.

For more information about adding egress rules to Amazon VPC security groups, go to AuthorizeSecurityGroupEgress in the Amazon Elastic Compute Cloud API Reference.

Note

You should use AWS::EC2::SecurityGroupEgress and AWS::EC2::SecurityGroupIngress only when necessary, typically to allow security groups to reference each other in ingress and egress rules. Otherwise, you should use internal ingress and egress rules. For more information, see Amazon EC2 Security Groups.

Syntax

{
   "CidrIp" : String,
   "DestinationSecurityGroupId" : String,
   "FromPort" : Number,
   "GroupId" : String,
   "IpProtocol" : String,
   "ToPort" : Number
}     

Properties

Important

After you create a AWS::EC2::SecurityGroupEgress resource, you cannot update its properties. Instead, you must define a new AWS::EC2::SecurityGroupEgress resource with the properties that you want, remove the old AWS::EC2::SecurityGroupEgress resource, and then update your AWS CloudFormation stack.

CidrIp

CIDR range.

Type: String

Required: Conditional Cannot be used when specifying a destination security group.

DestinationSecurityGroupId

Specifies the GroupId of the destination Amazon VPC security group.

Type: String

Required: Conditional Cannot be used when specifying a CIDR IP address.

FromPort

Start of port range for the TCP and UDP protocols, or an ICMP type number. If you specify icmp for the IpProtocol property, you can specify -1 as a wildcard (i.e., any ICMP type number).

Type: String

Required: Yes

GroupId

ID of the Amazon VPC security group to modify. This value can be a reference to an AWS::EC2::SecurityGroup resource that has a valid VpcId property or the ID of an existing Amazon VPC security group.

Type: String

Required: Yes

IpProtocol

IP protocol name or number. For valid values, see the IpProtocol parameter in AuthorizeSecurityGroupIngress

Type: String

Required: Yes

ToPort

End of port range for the TCP and UDP protocols, or an ICMP code. If you specify icmp for the IpProtocol property, you can specify -1 as a wildcard (i.e., any ICMP code).

Type: String

Required: Yes

Return Values

Ref

When the logical ID of this resource is provided to the Ref intrinsic function, it returns the resource name.

For more information about using the Ref function, see Ref.

VPC Security Group and Egress Rule

The following template snippet creates a VPC security group with an egress rule that allows outgoing traffic on port 80 from any other host in the security group.

{
  "AWSTemplateFormatVersion": "2010-09-09",
  "Resources": {
    "SGBase": {
      "Type": "AWS::EC2::SecurityGroup",
      "Properties": {
        "VpcId" : "vpc-e063f789",
        "GroupDescription": "Base Security Group",
        "SecurityGroupEgress": [
          {
            "IpProtocol": "tcp",
            "CidrIp": "0.0.0.0/0",
            "FromPort": "22",
            "ToPort": "22"
          }
        ]
      }
    },
    "SGBaseEgress": {
      "Type": "AWS::EC2::SecurityGroupEgress",
      "Properties": {
        "GroupId": { "Ref": "SGBase" },
        "IpProtocol": "tcp",
        "FromPort": "80",
        "ToPort": "80",
        "DestinationSecurityGroupId": { "Ref": "SGBase" }
      }
    }
  }
}