AWS CloudFormation
User Guide (Version )

AWS::EC2::SecurityGroupEgress

[EC2-VPC only] Adds the specified egress rules to a security group for use with a VPC.

An outbound rule permits instances to send traffic to the specified destination IPv4 or IPv6 CIDR address ranges, or to the specified destination security groups for the same VPC.

You specify a protocol for each rule (for example, TCP). For the TCP and UDP protocols, you must also specify the destination port or port range. For the ICMP protocol, you must also specify the ICMP type and code. You can use -1 for the type or code to mean all types or all codes.

Rule changes are propagated to affected instances as quickly as possible. However, a small delay might occur.

For more information about VPC security group limits, see Amazon VPC Limits.

Use AWS::EC2::SecurityGroupIngress and AWS::EC2::SecurityGroupEgress only when necessary, typically to allow security groups to reference each other in ingress and egress rules. Otherwise, use the embedded ingress and egress rules of the security group. For more information, see Amazon EC2 Security Groups.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{ "Type" : "AWS::EC2::SecurityGroupEgress", "Properties" : { "CidrIp" : String, "CidrIpv6" : String, "Description" : String, "DestinationPrefixListId" : String, "DestinationSecurityGroupId" : String, "FromPort" : Integer, "GroupId" : String, "IpProtocol" : String, "ToPort" : Integer } }

YAML

Type: AWS::EC2::SecurityGroupEgress Properties: CidrIp: String CidrIpv6: String Description: String DestinationPrefixListId: String DestinationSecurityGroupId: String FromPort: Integer GroupId: String IpProtocol: String ToPort: Integer

Properties

CidrIp

The IPv4 ranges.

You must specify a destination security group (DestinationPrefixListId or DestinationSecurityGroupId) or a CIDR range (CidrIp or CidrIpv6).

Required: No

Type: String

Update requires: Replacement

CidrIpv6

The IPv6 ranges.

You must specify a destination security group (DestinationPrefixListId or DestinationSecurityGroupId) or a CIDR range (CidrIp or CidrIpv6).

Required: No

Type: String

Update requires: Replacement

Description

The description of an egress (outbound) security group rule.

Required: No

Type: String

Update requires: No interruption

DestinationPrefixListId

[EC2-VPC only] The prefix list IDs for an AWS service. This is the AWS service that you want to access through a VPC endpoint from instances associated with the security group.

You must specify a destination security group (DestinationPrefixListId or DestinationSecurityGroupId) or a CIDR range (CidrIp or CidrIpv6).

Required: No

Type: String

Update requires: Replacement

DestinationSecurityGroupId

The ID of the security group.

You must specify a destination security group (DestinationPrefixListId or DestinationSecurityGroupId) or a CIDR range (CidrIp or CidrIpv6).

Required: No

Type: String

Update requires: Replacement

FromPort

The start of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 type number. A value of -1 indicates all ICMP/ICMPv6 types. If you specify all ICMP/ICMPv6 types, you must specify all codes.

Required: No

Type: Integer

Update requires: Replacement

GroupId

The ID of the security group. You must specify either the security group ID or the security group name in the request. For security groups in a nondefault VPC, you must specify the security group ID.

Required: Yes

Type: String

Update requires: Replacement

IpProtocol

The IP protocol name (tcp, udp, icmp, icmpv6) or number (see Protocol Numbers).

[VPC only] Use -1 to specify all protocols. When authorizing security group rules, specifying -1 or a protocol number other than tcp, udp, icmp, or icmpv6 allows traffic on all ports, regardless of any port range you specify. For tcp, udp, and icmp, you must specify a port range. For icmpv6, the port range is optional; if you omit the port range, traffic for all types and codes is allowed.

Required: Yes

Type: String

Update requires: Replacement

ToPort

The end of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 code. A value of -1 indicates all ICMP/ICMPv6 codes. If you specify all ICMP/ICMPv6 types, you must specify all codes.

Required: No

Type: Integer

Update requires: Replacement

Return Values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the name of the security egress rule.

For more information about using the Ref function, see Ref.

Examples

VPC Security Groups Example

In some cases, you might have an originating (source) security group to which you want to add an outbound rule that allows traffic to a destination (target) security group. The target security group also needs an inbound rule that allows traffic from the source security group. Note that you cannot use the Ref function to specify the outbound and inbound rules for each security group. Doing so creates a circular dependency; you cannot have two resources that depend on each other. Instead, use the egress and ingress resources to declare these outbound and inbound rules, as shown in the following template example.

JSON

"SourceSG": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "VpcId" : "vpc-1a2b3c4d", "GroupDescription": "Sample source security group" } }, "TargetSG": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "VpcId" : "vpc-1a2b3c4d", "GroupDescription": "Sample target security group" } }, "OutboundRule": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties":{ "IpProtocol": "tcp", "FromPort": 0, "ToPort": 65535, "DestinationSecurityGroupId": { "Fn::GetAtt": [ "TargetSG", "GroupId" ] }, "GroupId": { "Fn::GetAtt": [ "SourceSG", "GroupId" ] } } }, "InboundRule": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties":{ "IpProtocol": "tcp", "FromPort": 0, "ToPort": 65535, "SourceSecurityGroupId": { "Fn::GetAtt": [ "SourceSG", "GroupId" ] }, "GroupId": { "Fn::GetAtt": [ "TargetSG", "GroupId" ] } } }

YAML

SourceSG: Type: AWS::EC2::SecurityGroup Properties: VpcId: vpc-1a2b3c4d GroupDescription: Sample source security group TargetSG: Type: AWS::EC2::SecurityGroup Properties: VpcId: vpc-1a2b3c4d GroupDescription: Sample target security group OutboundRule: Type: AWS::EC2::SecurityGroupEgress Properties: IpProtocol: tcp FromPort: 0 ToPort: 65535 DestinationSecurityGroupId: Fn::GetAtt: - TargetSG - GroupId GroupId: Fn::GetAtt: - SourceSG - GroupId InboundRule: Type: AWS::EC2::SecurityGroupIngress Properties: IpProtocol: tcp FromPort: 0 ToPort: 65535 SourceSecurityGroupId: Fn::GetAtt: - SourceSG - GroupId GroupId: Fn::GetAtt: - TargetSG - GroupId