AWS::EC2::SecurityGroup Egress

Specifies an outbound rule for a security group. An outbound rule permits instances to send traffic to the specified IPv4 or IPv6 CIDR address ranges, or to the instances associated with the specified destination security groups.

You must specify only one of the following properties: CidrIp, CidrIpv6, DestinationPrefixListId, or DestinationSecurityGroupId.

The EC2 Security Group Rule is an embedded property of the AWS::EC2::SecurityGroup type.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON


{
  "CidrIp" : String,
  "CidrIpv6" : String,
  "Description" : String,
  "DestinationPrefixListId" : String,
  "DestinationSecurityGroupId" : String,
  "FromPort" : Integer,
  "IpProtocol" : String,
  "ToPort" : Integer
}

YAML


  CidrIp: String
  CidrIpv6: String
  Description: String
  DestinationPrefixListId: String
  DestinationSecurityGroupId: String
  FromPort: Integer
  IpProtocol: String
  ToPort: Integer

Properties

CidrIp

The destination IPv4 address range, in CIDR format.

Required: No

Type: String

Update requires: No interruption

CidrIpv6

[EC2-VPC only] The IPv6 ranges.

The destination IPv6 address range, in CIDR format.

Required: No

Type: String

Update requires: No interruption

Description

A description for the security group rule.

Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*

Required: No

Type: String

Update requires: No interruption

DestinationPrefixListId

[EC2-VPC only] The prefix list IDs for the destination AWS service. This is the AWS service that you want to access through a VPC endpoint from instances associated with the security group.

Required: No

Type: String

Update requires: No interruption

DestinationSecurityGroupId

The ID of the destination VPC security group.

Required: No

Type: String

Update requires: No interruption

FromPort

The start of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 type number. A value of -1 indicates all ICMP/ICMPv6 types. If you specify all ICMP/ICMPv6 types, you must specify all codes.

Required: No

Type: Integer

Update requires: No interruption

IpProtocol

The IP protocol name (tcp, udp, icmp, icmpv6) or number (see Protocol Numbers).

[VPC only] Use -1 to specify all protocols. When authorizing security group rules, specifying -1 or a protocol number other than tcp, udp, icmp, or icmpv6 allows traffic on all ports, regardless of any port range you specify. For tcp, udp, and icmp, you must specify a port range. For icmpv6, the port range is optional; if you omit the port range, traffic for all types and codes is allowed.

Required: Yes

Type: String

Update requires: No interruption

ToPort

The end of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 code. A value of -1 indicates all ICMP/ICMPv6 codes. If you specify all ICMP/ICMPv6 types, you must specify all codes.

Required: No

Type: Integer

Update requires: No interruption

Warning Javascript is disabled or is unavailable in your browser.

To use the AWS Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS::EC2::SecurityGroup

Ingress