AWS::NetworkFirewall::RuleGroup - AWS CloudFormation

AWS::NetworkFirewall::RuleGroup

Use the AWS::NetworkFirewall::RuleGroup to define a reusable collection of stateless or stateful network traffic filtering rules. You use rule groups in an AWS::NetworkFirewall::FirewallPolicy to specify the filtering behavior of an AWS::NetworkFirewall::Firewall.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{ "Type" : "AWS::NetworkFirewall::RuleGroup", "Properties" : { "Capacity" : Integer, "Description" : String, "RuleGroup" : RuleGroup, "RuleGroupName" : String, "Tags" : [ Tag, ... ], "Type" : String } }

YAML

Type: AWS::NetworkFirewall::RuleGroup Properties: Capacity: Integer Description: String RuleGroup: RuleGroup RuleGroupName: String Tags: - Tag Type: String

Properties

Capacity

The maximum operating resources that this rule group can use. You can't change a rule group's capacity setting after you create the rule group. When you update a rule group, you are limited to this capacity. When you reference a rule group from a firewall policy, Network Firewall reserves this capacity for the rule group.

Required: Yes

Type: Integer

Update requires: Replacement

Description

A description of the rule group.

Required: No

Type: String

Maximum: 512

Pattern: ^.*$

Update requires: No interruption

RuleGroup

An object that defines the rule group rules.

Required: No

Type: RuleGroup

Update requires: No interruption

RuleGroupName

The descriptive name of the rule group. You can't change the name of a rule group after you create it.

Required: Yes

Type: String

Minimum: 1

Maximum: 128

Pattern: ^[a-zA-Z0-9-]+$

Update requires: Replacement

Tags

An array of key-value pairs to apply to this resource.

For more information, see Tag.

Required: No

Type: List of Tag

Maximum: 200

Update requires: No interruption

Type

Indicates whether the rule group is stateless or stateful. If the rule group is stateless, it contains stateless rules. If it is stateful, it contains stateful rules.

Required: Yes

Type: String

Allowed values: STATEFUL | STATELESS

Update requires: Replacement

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Reffunction, Refreturns the Amazon Resource Name (ARN) of the rule group. For example:

{ "Ref": "arn:aws:network-firewall:us-east-1:012345678901:stateful-rulegroup/myStatefulRuleGroupName" }

For more information about using the Reffunction, see Ref.

Fn::GetAtt

The Fn::GetAttintrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAttintrinsic function, see Fn::GetAtt.

RuleGroupArn

The Amazon Resource Name (ARN) of the AWS::NetworkFirewall::RuleGroup.

RuleGroupId

The unique ID of the AWS::NetworkFirewall::RuleGroup resource.

Examples

Create a stateful rule group

The following shows example stateful rule group specifications.

JSON

"SampleStatefulRulegroup": { "Type": "AWS::NetworkFirewall::RuleGroup", "Properties": { "RuleGroupName": "SampleStatefulRulegroupName", "Type": "STATEFUL", "RuleGroup": { "RulesSource": { "RulesString": "pass tcp 10.20.20.0/24 45400:45500 <> 10.10.10.0/24 5203 (msg:\"test\";sid:1;rev:1;)" } }, "Capacity": 100, "Description": "Rulegroup description goes here", "Tags": [ { "Key": "Foo", "Value": "Bar" } ] } }

YAML

SampleStatefulRulegroup: Type: 'AWS::NetworkFirewall::RuleGroup' Properties: RuleGroupName: SampleStatefulRulegroupName Type: STATEFUL RuleGroup: RulesSource: RulesString: >- pass tcp 10.20.20.0/24 45400:45500 <> 10.10.10.0/24 5203 (msg:"test";sid:1;rev:1;) Capacity: 100 Description: Rulegroup description goes here Tags: - Key: Foo Value: Bar

Create a stateless rule group

The following shows example stateless rule group specifications.

JSON

"SampleStatelessRulegroup": { "Type": "AWS::NetworkFirewall::RuleGroup", "Properties": { "RuleGroupName": "SampleStatelessRulegroupName", "Type": "STATELESS", "RuleGroup": { "RulesSource": { "StatelessRulesAndCustomActions": { "StatelessRules": [ { "RuleDefinition": { "MatchAttributes": { "Sources": [ { "AddressDefinition": "0.0.0.0/0" } ], "Destinations": [ { "AddressDefinition": "10.0.0.0/8" } ], "SourcePorts": [ { "FromPort": 15000 }, { "ToPort": 30000 } ], "DestinationPorts": [ { "FromPort": 443 }, { "ToPort": 443 } ], "Protocols": [ 6 ] }, "Actions": [ "aws:pass" ] }, "Priority": 1 } ] } } }, "Capacity": 100, "Description": "Rulegroup description goes here", "Tags": [ { "Key": "Foo", "Value": "Bar" } ] } }

YAML

SampleStatelessRulegroup: Type: 'AWS::NetworkFirewall::RuleGroup' Properties: RuleGroupName: SampleStatelessRulegroupName Type: STATELESS RuleGroup: RulesSource: StatelessRulesAndCustomActions: StatelessRules: - RuleDefinition: MatchAttributes: Sources: - AddressDefinition: 0.0.0.0/0 Destinations: - AddressDefinition: 10.0.0.0/8 SourcePorts: - FromPort: 15000 ToPort: 30000 DestinationPorts: - FromPort: 443 ToPort: 443 Protocols: - 6 Actions: - 'aws:pass' Priority: 1 Capacity: 100 Description: Rulegroup description goes here Tags: - Key: Foo Value: Bar