AWS CloudFormation
User Guide (Version )

AWS::EC2::SecurityGroup Egress

Specifies an outbound rule for a security group.

You must specify only one of the following properties: CidrIp, CidrIpv6, DestinationPrefixListId, or DestinationSecurityGroupId.

The EC2 Security Group Rule is an embedded property of the AWS::EC2::SecurityGroup type.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{ "CidrIp" : String, "CidrIpv6" : String, "Description" : String, "DestinationPrefixListId" : String, "DestinationSecurityGroupId" : String, "FromPort" : Integer, "IpProtocol" : String, "ToPort" : Integer }

YAML

CidrIp: String CidrIpv6: String Description: String DestinationPrefixListId: String DestinationSecurityGroupId: String FromPort: Integer IpProtocol: String ToPort: Integer

Properties

CidrIp

The IPv4 address range, in CIDR format.

Required: No

Type: String

Update requires: No interruption

CidrIpv6

[EC2-VPC only] The IPv6 ranges.

The IPv6 address range, in CIDR format.

Required: No

Type: String

Update requires: No interruption

Description

A description for the security group rule.

Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*

Required: No

Type: String

Update requires: No interruption

DestinationPrefixListId

[EC2-VPC only] The prefix list IDs for an AWS service. This is the AWS service that you want to access through a VPC endpoint from instances associated with the security group.

Required: No

Type: String

Update requires: No interruption

DestinationSecurityGroupId

The ID of the destination VPC security group.

Required: No

Type: String

Update requires: No interruption

FromPort

The start of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 type number. A value of -1 indicates all ICMP/ICMPv6 types. If you specify all ICMP/ICMPv6 types, you must specify all codes.

Required: No

Type: Integer

Update requires: No interruption

IpProtocol

The IP protocol name (tcp, udp, icmp, icmpv6) or number (see Protocol Numbers).

[VPC only] Use -1 to specify all protocols. When authorizing security group rules, specifying -1 or a protocol number other than tcp, udp, icmp, or icmpv6 allows traffic on all ports, regardless of any port range you specify. For tcp, udp, and icmp, you must specify a port range. For icmpv6, the port range is optional; if you omit the port range, traffic for all types and codes is allowed.

Required: Yes

Type: String

Update requires: No interruption

ToPort

The end of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 code. A value of -1 indicates all ICMP/ICMPv6 codes. If you specify all ICMP/ICMPv6 types, you must specify all codes.

Required: No

Type: Integer

Update requires: No interruption

On this page: