AWS::NetworkFirewall::RuleGroup - AWS CloudFormation

AWS::NetworkFirewall::RuleGroup

Use the AWS::NetworkFirewall::RuleGroup to define a reusable collection of stateless or stateful network traffic filtering rules. You use rule groups in an AWS::NetworkFirewall::FirewallPolicy to specify the filtering behavior of an AWS::NetworkFirewall::Firewall.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{ "Type" : "AWS::NetworkFirewall::RuleGroup", "Properties" : { "Capacity" : Integer, "Description" : String, "RuleGroup" : RuleGroup, "RuleGroupName" : String, "Tags" : [ Tag, ... ], "Type" : String } }

YAML

Type: AWS::NetworkFirewall::RuleGroup Properties: Capacity: Integer Description: String RuleGroup: RuleGroup RuleGroupName: String Tags: - Tag Type: String

Properties

Capacity

The maximum operating resources that this rule group can use. You can't change a rule group's capacity setting after you create the rule group. When you update a rule group, you are limited to this capacity. When you reference a rule group from a firewall policy, Network Firewall reserves this capacity for the rule group.

Required: Yes

Type: Integer

Update requires: Replacement

Description

A description of the rule group.

Required: No

Type: String

Maximum: 512

Pattern: ^.*$

Update requires: No interruption

RuleGroup

An object that defines the rule group rules.

Note

You must provide either this rule group setting or a Rules setting, but not both.

Required: No

Type: RuleGroup

Update requires: No interruption

RuleGroupName

The descriptive name of the rule group. You can't change the name of a rule group after you create it.

Required: Yes

Type: String

Minimum: 1

Maximum: 128

Pattern: ^[a-zA-Z0-9-]+$

Update requires: Replacement

Tags

An array of key-value pairs to apply to this resource.

For more information, see Tag.

Required: No

Type: List of Tag

Maximum: 200

Update requires: No interruption

Type

Indicates whether the rule group is stateless or stateful. If the rule group is stateless, it contains stateless rules. If it is stateful, it contains stateful rules.

Required: Yes

Type: String

Allowed values: STATEFUL | STATELESS

Update requires: Replacement

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the Amazon Resource Name (ARN) of the rule group. For example:

{ "Ref": "arn:aws:network-firewall:us-east-1:012345678901:stateful-rulegroup/myStatefulRuleGroupName" }

For more information about using the Ref function, see Ref.

Fn::GetAtt

The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.

RuleGroupArn

The Amazon Resource Name (ARN) of the AWS::NetworkFirewall::RuleGroup.

RuleGroupId

The unique ID of the AWS::NetworkFirewall::RuleGroup resource.

Examples

Create a stateful rule group

The following shows example stateful rule group specifications.

JSON

"SampleStatefulRulegroup": { "Type": "AWS::NetworkFirewall::RuleGroup", "Properties": { "RuleGroupName": "SampleStatefulRulegroupName", "Type": "STATEFUL", "RuleGroup": { "RulesSource": { "RulesString": "pass tcp 10.20.20.0/24 45400:45500 <> 10.10.10.0/24 5203 (msg:\"test\";sid:1;rev:1;)" } }, "Capacity": 100, "Description": "Rulegroup description goes here", "Tags": [ { "Key": "Foo", "Value": "Bar" } ] } }

YAML

SampleStatefulRulegroup: Type: 'AWS::NetworkFirewall::RuleGroup' Properties: RuleGroupName: SampleStatefulRulegroupName Type: STATEFUL RuleGroup: RulesSource: RulesString: >- pass tcp 10.20.20.0/24 45400:45500 <> 10.10.10.0/24 5203 (msg:"test";sid:1;rev:1;) Capacity: 100 Description: Rulegroup description goes here Tags: - Key: Foo Value: Bar

Create a stateless rule group

The following shows example stateless rule group specifications.

JSON

"SampleStatelessRulegroup": { "Type": "AWS::NetworkFirewall::RuleGroup", "Properties": { "RuleGroupName": "SampleStatelessRulegroupName", "Type": "STATELESS", "RuleGroup": { "RulesSource": { "StatelessRulesAndCustomActions": { "StatelessRules": [ { "RuleDefinition": { "MatchAttributes": { "Sources": [ { "AddressDefinition": "0.0.0.0/0" } ], "Destinations": [ { "AddressDefinition": "10.0.0.0/8" } ], "SourcePorts": [ { "FromPort": 15000 }, { "ToPort": 30000 } ], "DestinationPorts": [ { "FromPort": 443 }, { "ToPort": 443 } ], "Protocols": [ 6 ] }, "Actions": [ "aws:pass" ] }, "Priority": 1 } ] } } }, "Capacity": 100, "Description": "Rulegroup description goes here", "Tags": [ { "Key": "Foo", "Value": "Bar" } ] } }

YAML

SampleStatelessRulegroup: Type: 'AWS::NetworkFirewall::RuleGroup' Properties: RuleGroupName: SampleStatelessRulegroupName Type: STATELESS RuleGroup: RulesSource: StatelessRulesAndCustomActions: StatelessRules: - RuleDefinition: MatchAttributes: Sources: - AddressDefinition: 0.0.0.0/0 Destinations: - AddressDefinition: 10.0.0.0/8 SourcePorts: - FromPort: 15000 ToPort: 30000 DestinationPorts: - FromPort: 443 ToPort: 443 Protocols: - 6 Actions: - 'aws:pass' Priority: 1 Capacity: 100 Description: Rulegroup description goes here Tags: - Key: Foo Value: Bar