interface FirewallRuleProperty

Language	Type name
.NET	`Amazon.CDK.AWS.Route53Resolver.CfnFirewallRuleGroup.FirewallRuleProperty`
Java	`software.amazon.awscdk.services.route53resolver.CfnFirewallRuleGroup.FirewallRuleProperty`
Python	`aws_cdk.aws_route53resolver.CfnFirewallRuleGroup.FirewallRuleProperty`
TypeScript	`@aws-cdk/aws-route53resolver` » `CfnFirewallRuleGroup` » `FirewallRuleProperty`

A single firewall rule in a rule group.

Example

// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import * as route53resolver from '@aws-cdk/aws-route53resolver';
const firewallRuleProperty: route53resolver.CfnFirewallRuleGroup.FirewallRuleProperty = {
  action: 'action',
  firewallDomainListId: 'firewallDomainListId',
  priority: 123,

  // the properties below are optional
  blockOverrideDnsType: 'blockOverrideDnsType',
  blockOverrideDomain: 'blockOverrideDomain',
  blockOverrideTtl: 123,
  blockResponse: 'blockResponse',
};

Properties

Name	Type	Description
action	`string`	The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list: - `ALLOW` - Permit the request to go through.
firewallDomainListId	`string`	The ID of the domain list that's used in the rule.
priority	`number`	The priority of the rule in the rule group.
blockOverrideDnsType?	`string`	The DNS record's type.
blockOverrideDomain?	`string`	The custom DNS record to send back in response to the query.
blockOverrideTtl?	`number`	The recommended amount of time, in seconds, for the DNS resolver or web browser to cache the provided override record.
blockResponse?	`string`	The way that you want DNS Firewall to block the request. Used for the rule action setting `BLOCK` .

action

Type: string

The action that DNS Firewall should take on a DNS query when it matches one of the domains in the rule's domain list: - ALLOW - Permit the request to go through.

ALERT - Permit the request to go through but send an alert to the logs.
BLOCK - Disallow the request. If this is specified,then BlockResponse must also be specified.

if BlockResponse is OVERRIDE , then all of the following OVERRIDE attributes must be specified:

BlockOverrideDnsType
BlockOverrideDomain
BlockOverrideTtl

firewallDomainListId

Type: string

The ID of the domain list that's used in the rule.

priority

Type: number

The priority of the rule in the rule group.

This value must be unique within the rule group. DNS Firewall processes the rules in a rule group by order of priority, starting from the lowest setting.

blockOverrideDnsType?

Type: string (optional)

The DNS record's type.

This determines the format of the record value that you provided in BlockOverrideDomain . Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE .

blockOverrideDomain?

Type: string (optional)

The custom DNS record to send back in response to the query.

Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE .

blockOverrideTtl?

Type: number (optional)

The recommended amount of time, in seconds, for the DNS resolver or web browser to cache the provided override record.

Used for the rule action BLOCK with a BlockResponse setting of OVERRIDE .

blockResponse?

Type: string (optional)

The way that you want DNS Firewall to block the request. Used for the rule action setting BLOCK .

NODATA - Respond indicating that the query was successful, but no response is available for it.
NXDOMAIN - Respond indicating that the domain name that's in the query doesn't exist.
OVERRIDE - Provide a custom override in the response. This option requires custom handling details in the rule's BlockOverride* settings.