AWS::NetworkFirewall::RuleGroup Header
The 5-tuple criteria for AWS Network Firewall to use to inspect packet headers in stateful traffic flow inspection. Traffic flows that match the criteria are a match for the corresponding stateful rule.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Destination" :
String
, "DestinationPort" :String
, "Direction" :String
, "Protocol" :String
, "Source" :String
, "SourcePort" :String
}
YAML
Destination:
String
DestinationPort:String
Direction:String
Protocol:String
Source:String
SourcePort:String
Properties
Destination
-
The destination IP address or address range to inspect for, in CIDR notation. To match with any address, specify
ANY
.Specify an IP address or a block of IP addresses in Classless Inter-Domain Routing (CIDR) notation. Network Firewall supports all address ranges for IPv4 and IPv6.
Examples:
-
To configure Network Firewall to inspect for the IP address 192.0.2.44, specify
192.0.2.44/32
. -
To configure Network Firewall to inspect for IP addresses from 192.0.2.0 to 192.0.2.255, specify
192.0.2.0/24
. -
To configure Network Firewall to inspect for the IP address 1111:0000:0000:0000:0000:0000:0000:0111, specify
1111:0000:0000:0000:0000:0000:0000:0111/128
. -
To configure Network Firewall to inspect for IP addresses from 1111:0000:0000:0000:0000:0000:0000:0000 to 1111:0000:0000:0000:ffff:ffff:ffff:ffff, specify
1111:0000:0000:0000:0000:0000:0000:0000/64
.
For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing
. Required: Yes
Type: String
Pattern:
^.*$
Minimum:
1
Maximum:
1024
Update requires: No interruption
-
DestinationPort
-
The destination port to inspect for. You can specify an individual port, for example
1994
and you can specify a port range, for example1990:1994
. To match with any port, specifyANY
.Required: Yes
Type: String
Pattern:
^.*$
Minimum:
1
Maximum:
1024
Update requires: No interruption
Direction
-
The direction of traffic flow to inspect. If set to
ANY
, the inspection matches bidirectional traffic, both from the source to the destination and from the destination to the source. If set toFORWARD
, the inspection only matches traffic going from the source to the destination.Required: Yes
Type: String
Allowed values:
FORWARD | ANY
Update requires: No interruption
Protocol
-
The protocol to inspect for. To specify all, you can use
IP
, because all traffic on AWS and on the internet is IP.Required: Yes
Type: String
Allowed values:
IP | TCP | UDP | ICMP | HTTP | FTP | TLS | SMB | DNS | DCERPC | SSH | SMTP | IMAP | MSN | KRB5 | IKEV2 | TFTP | NTP | DHCP
Update requires: No interruption
Source
-
The source IP address or address range to inspect for, in CIDR notation. To match with any address, specify
ANY
.Specify an IP address or a block of IP addresses in Classless Inter-Domain Routing (CIDR) notation. Network Firewall supports all address ranges for IPv4 and IPv6.
Examples:
-
To configure Network Firewall to inspect for the IP address 192.0.2.44, specify
192.0.2.44/32
. -
To configure Network Firewall to inspect for IP addresses from 192.0.2.0 to 192.0.2.255, specify
192.0.2.0/24
. -
To configure Network Firewall to inspect for the IP address 1111:0000:0000:0000:0000:0000:0000:0111, specify
1111:0000:0000:0000:0000:0000:0000:0111/128
. -
To configure Network Firewall to inspect for IP addresses from 1111:0000:0000:0000:0000:0000:0000:0000 to 1111:0000:0000:0000:ffff:ffff:ffff:ffff, specify
1111:0000:0000:0000:0000:0000:0000:0000/64
.
For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing
. Required: Yes
Type: String
Pattern:
^.*$
Minimum:
1
Maximum:
1024
Update requires: No interruption
-
SourcePort
-
The source port to inspect for. You can specify an individual port, for example
1994
and you can specify a port range, for example1990:1994
. To match with any port, specifyANY
.Required: Yes
Type: String
Pattern:
^.*$
Minimum:
1
Maximum:
1024
Update requires: No interruption