AWS::NetworkFirewall::RuleGroup
Use the AWS::NetworkFirewall::RuleGroup to define a reusable collection of stateless or stateful network traffic filtering rules. You use rule groups in an AWS::NetworkFirewall::FirewallPolicy to specify the filtering behavior of an AWS::NetworkFirewall::Firewall.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::NetworkFirewall::RuleGroup", "Properties" : { "Capacity" :Integer, "Description" :String, "RuleGroup" :RuleGroup, "RuleGroupName" :String, "Tags" :[ Tag, ... ], "Type" :String} }
YAML
Type: AWS::NetworkFirewall::RuleGroup Properties: Capacity:IntegerDescription:StringRuleGroup:RuleGroupRuleGroupName:StringTags:- TagType:String
Properties
Capacity-
The maximum operating resources that this rule group can use. You can't change a rule group's capacity setting after you create the rule group. When you update a rule group, you are limited to this capacity. When you reference a rule group from a firewall policy, Network Firewall reserves this capacity for the rule group.
Required: Yes
Type: Integer
Update requires: Replacement
Description-
A description of the rule group.
Required: No
Type: String
Pattern:
^.*$Minimum:
1Maximum:
512Update requires: No interruption
RuleGroup-
An object that defines the rule group rules.
Required: No
Type: RuleGroup
Update requires: No interruption
RuleGroupName-
The descriptive name of the rule group. You can't change the name of a rule group after you create it.
Required: Yes
Type: String
Pattern:
^[a-zA-Z0-9-]+$Minimum:
1Maximum:
128Update requires: Replacement
-
An array of key-value pairs to apply to this resource.
For more information, see Tag.
Required: No
Type: Array of Tag
Minimum:
1Maximum:
200Update requires: No interruption
Type-
Indicates whether the rule group is stateless or stateful. If the rule group is stateless, it contains stateless rules. If it is stateful, it contains stateful rules.
Required: Yes
Type: String
Allowed values:
STATELESS | STATEFULUpdate requires: Replacement
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the Amazon Resource Name (ARN) of the rule group. For example:
{ "Ref": "arn:aws:network-firewall:us-east-1:012345678901:stateful-rulegroup/myStatefulRuleGroupName" }
For more information about using the Ref function, see Ref.
Fn::GetAtt
The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.
For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.
RuleGroupArn-
The Amazon Resource Name (ARN) of the AWS::NetworkFirewall::RuleGroup.
RuleGroupId-
The unique ID of the AWS::NetworkFirewall::RuleGroup resource.
Examples
Create a stateful rule group
The following shows example stateful rule group specifications.
JSON
"SampleStatefulRulegroup": { "Type": "AWS::NetworkFirewall::RuleGroup", "Properties": { "RuleGroupName": "SampleStatefulRulegroupName", "Type": "STATEFUL", "RuleGroup": { "RulesSource": { "RulesString": "pass tcp 10.20.20.0/24 45400:45500 <> 10.10.10.0/24 5203 (msg:\"test\";sid:1;rev:1;)" } }, "Capacity": 100, "Description": "Rulegroup description goes here", "Tags": [ { "Key": "Foo", "Value": "Bar" } ] } }
YAML
SampleStatefulRulegroup: Type: 'AWS::NetworkFirewall::RuleGroup' Properties: RuleGroupName: SampleStatefulRulegroupName Type: STATEFUL RuleGroup: RulesSource: RulesString: >- pass tcp 10.20.20.0/24 45400:45500 <> 10.10.10.0/24 5203 (msg:"test";sid:1;rev:1;) Capacity: 100 Description: Rulegroup description goes here Tags: - Key: Foo Value: Bar
Create a stateless rule group
The following shows example stateless rule group specifications.
JSON
"SampleStatelessRulegroup": { "Type": "AWS::NetworkFirewall::RuleGroup", "Properties": { "RuleGroupName": "SampleStatelessRulegroupName", "Type": "STATELESS", "RuleGroup": { "RulesSource": { "StatelessRulesAndCustomActions": { "StatelessRules": [ { "RuleDefinition": { "MatchAttributes": { "Sources": [ { "AddressDefinition": "0.0.0.0/0" } ], "Destinations": [ { "AddressDefinition": "10.0.0.0/8" } ], "SourcePorts": [ { "FromPort": 15000 }, { "ToPort": 30000 } ], "DestinationPorts": [ { "FromPort": 443 }, { "ToPort": 443 } ], "Protocols": [ 6 ] }, "Actions": [ "aws:pass" ] }, "Priority": 1 } ] } } }, "Capacity": 100, "Description": "Rulegroup description goes here", "Tags": [ { "Key": "Foo", "Value": "Bar" } ] } }
YAML
SampleStatelessRulegroup: Type: 'AWS::NetworkFirewall::RuleGroup' Properties: RuleGroupName: SampleStatelessRulegroupName Type: STATELESS RuleGroup: RulesSource: StatelessRulesAndCustomActions: StatelessRules: - RuleDefinition: MatchAttributes: Sources: - AddressDefinition: 0.0.0.0/0 Destinations: - AddressDefinition: 10.0.0.0/8 SourcePorts: - FromPort: 15000 ToPort: 30000 DestinationPorts: - FromPort: 443 ToPort: 443 Protocols: - 6 Actions: - 'aws:pass' Priority: 1 Capacity: 100 Description: Rulegroup description goes here Tags: - Key: Foo Value: Bar
