AWS::EC2::SecurityGroup Egress
Specifies an outbound rule for a security group. An outbound rule permits instances to send traffic to the specified IPv4 or IPv6 address range, or to the instances associated with the specified destination security groups.
You must specify only one of the following properties:
CidrIp
, CidrIpv6
,
DestinationPrefixListId
, or DestinationSecurityGroupId
.
The EC2 Security Group Rule is an embedded property of the AWS::EC2::SecurityGroup
type.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "CidrIp" :
String
, "CidrIpv6" :String
, "Description" :String
, "DestinationPrefixListId" :String
, "DestinationSecurityGroupId" :String
, "FromPort" :Integer
, "IpProtocol" :String
, "ToPort" :Integer
}
YAML
CidrIp:
String
CidrIpv6:String
Description:String
DestinationPrefixListId:String
DestinationSecurityGroupId:String
FromPort:Integer
IpProtocol:String
ToPort:Integer
Properties
CidrIp
-
The IPv4 address range, in CIDR format.
Required: No
Type: String
Update requires: No interruption
CidrIpv6
-
The IPv6 address range, in CIDR format.
Required: No
Type: String
Update requires: No interruption
Description
-
A description for the security group rule.
Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*
Required: No
Type: String
Update requires: No interruption
DestinationPrefixListId
-
[EC2-VPC only] The prefix list IDs for the destination AWS service. This is the AWS service that you want to access through a VPC endpoint from instances associated with the security group.
Required: No
Type: String
Update requires: No interruption
DestinationSecurityGroupId
-
The ID of the destination VPC security group.
Required: No
Type: String
Update requires: No interruption
FromPort
-
The start of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 type number. A value of
-1
indicates all ICMP/ICMPv6 types. If you specify all ICMP/ICMPv6 types, you must specify all codes.Required: No
Type: Integer
Update requires: No interruption
IpProtocol
-
The IP protocol name (
tcp
,udp
,icmp
,icmpv6
) or number (see Protocol Numbers). [VPC only] Use
-1
to specify all protocols. When authorizing security group rules, specifying-1
or a protocol number other thantcp
,udp
,icmp
, oricmpv6
allows traffic on all ports, regardless of any port range you specify. Fortcp
,udp
, andicmp
, you must specify a port range. Foricmpv6
, the port range is optional; if you omit the port range, traffic for all types and codes is allowed.Required: Yes
Type: String
Update requires: No interruption
ToPort
-
The end of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 code. A value of
-1
indicates all ICMP/ICMPv6 codes. If you specify all ICMP/ICMPv6 types, you must specify all codes.Required: No
Type: Integer
Update requires: No interruption