AWS::NetworkFirewall::RuleGroup - AWS CloudFormation


Use the AWS::NetworkFirewall::RuleGroup to define a reusable collection of stateless or stateful network traffic filtering rules. You use rule groups in an AWS::NetworkFirewall::FirewallPolicy to specify the filtering behavior of an AWS::NetworkFirewall::Firewall.


To declare this entity in your AWS CloudFormation template, use the following syntax:


{ "Type" : "AWS::NetworkFirewall::RuleGroup", "Properties" : { "Capacity" : Integer, "Description" : String, "RuleGroup" : RuleGroup, "RuleGroupName" : String, "Tags" : [ Tag, ... ], "Type" : String } }


Type: AWS::NetworkFirewall::RuleGroup Properties: Capacity: Integer Description: String RuleGroup: RuleGroup RuleGroupName: String Tags: - Tag Type: String



The maximum operating resources that this rule group can use. You can't change a rule group's capacity setting after you create the rule group. When you update a rule group, you are limited to this capacity. When you reference a rule group from a firewall policy, Network Firewall reserves this capacity for the rule group.

Required: Yes

Type: Integer

Update requires: Replacement


A description of the rule group.

Required: No

Type: String

Maximum: 512

Pattern: ^.*$

Update requires: No interruption


An object that defines the rule group rules.

Required: No

Type: RuleGroup

Update requires: No interruption


The descriptive name of the rule group. You can't change the name of a rule group after you create it.

Required: Yes

Type: String

Minimum: 1

Maximum: 128

Pattern: ^[a-zA-Z0-9-]+$

Update requires: Replacement


An array of key-value pairs to apply to this resource.

For more information, see Tag.

Required: No

Type: List of Tag

Maximum: 200

Update requires: No interruption


Indicates whether the rule group is stateless or stateful. If the rule group is stateless, it contains stateless rules. If it is stateful, it contains stateful rules.

Required: Yes

Type: String

Allowed values: STATEFUL | STATELESS

Update requires: Replacement

Return values


When you pass the logical ID of this resource to the intrinsic Reffunction, Refreturns the Amazon Resource Name (ARN) of the rule group. For example:

{ "Ref": "arn:aws:network-firewall:us-east-1:012345678901:stateful-rulegroup/myStatefulRuleGroupName" }

For more information about using the Reffunction, see Ref.


The Fn::GetAttintrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAttintrinsic function, see Fn::GetAtt.


The Amazon Resource Name (ARN) of the AWS::NetworkFirewall::RuleGroup.


The unique ID of the AWS::NetworkFirewall::RuleGroup resource.


Create a stateful rule group

The following shows example stateful rule group specifications.


"SampleStatefulRulegroup": { "Type": "AWS::NetworkFirewall::RuleGroup", "Properties": { "RuleGroupName": "SampleStatefulRulegroupName", "Type": "STATEFUL", "RuleGroup": { "RulesSource": { "RulesString": "pass tcp 45400:45500 <> 5203 (msg:\"test\";sid:1;rev:1;)" } }, "Capacity": 100, "Description": "Rulegroup description goes here", "Tags": [ { "Key": "Foo", "Value": "Bar" } ] } }


SampleStatefulRulegroup: Type: 'AWS::NetworkFirewall::RuleGroup' Properties: RuleGroupName: SampleStatefulRulegroupName Type: STATEFUL RuleGroup: RulesSource: RulesString: >- pass tcp 45400:45500 <> 5203 (msg:"test";sid:1;rev:1;) Capacity: 100 Description: Rulegroup description goes here Tags: - Key: Foo Value: Bar

Create a stateless rule group

The following shows example stateless rule group specifications.


"SampleStatelessRulegroup": { "Type": "AWS::NetworkFirewall::RuleGroup", "Properties": { "RuleGroupName": "SampleStatelessRulegroupName", "Type": "STATELESS", "RuleGroup": { "RulesSource": { "StatelessRulesAndCustomActions": { "StatelessRules": [ { "RuleDefinition": { "MatchAttributes": { "Sources": [ { "AddressDefinition": "" } ], "Destinations": [ { "AddressDefinition": "" } ], "SourcePorts": [ { "FromPort": 15000 }, { "ToPort": 30000 } ], "DestinationPorts": [ { "FromPort": 443 }, { "ToPort": 443 } ], "Protocols": [ 6 ] }, "Actions": [ "aws:pass" ] }, "Priority": 1 } ] } } }, "Capacity": 100, "Description": "Rulegroup description goes here", "Tags": [ { "Key": "Foo", "Value": "Bar" } ] } }


SampleStatelessRulegroup: Type: 'AWS::NetworkFirewall::RuleGroup' Properties: RuleGroupName: SampleStatelessRulegroupName Type: STATELESS RuleGroup: RulesSource: StatelessRulesAndCustomActions: StatelessRules: - RuleDefinition: MatchAttributes: Sources: - AddressDefinition: Destinations: - AddressDefinition: SourcePorts: - FromPort: 15000 ToPort: 30000 DestinationPorts: - FromPort: 443 ToPort: 443 Protocols: - 6 Actions: - 'aws:pass' Priority: 1 Capacity: 100 Description: Rulegroup description goes here Tags: - Key: Foo Value: Bar