AWS::EC2::SecurityGroup Egress
Adds the specified outbound (egress) rule to a security group.
An outbound rule permits instances to send traffic to the specified IPv4 or IPv6 address range, the IP address ranges that are specified by a prefix list, or the instances that are associated with a destination security group. For more information, see Security group rules.
You must specify exactly one of the following destinations: an IPv4 address range, an IPv6 address range, a prefix list, or a security group.
You must specify a protocol for each rule (for example, TCP). If the protocol is TCP or UDP, you must also specify a port or port range. If the protocol is ICMP or ICMPv6, you must also specify the ICMP/ICMPv6 type and code.
Rule changes are propagated to instances associated with the security group as quickly as possible. However, a small delay might occur.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "CidrIp" :
String
, "CidrIpv6" :String
, "Description" :String
, "DestinationPrefixListId" :String
, "DestinationSecurityGroupId" :String
, "FromPort" :Integer
, "IpProtocol" :String
, "ToPort" :Integer
}
YAML
CidrIp:
String
CidrIpv6:String
Description:String
DestinationPrefixListId:String
DestinationSecurityGroupId:String
FromPort:Integer
IpProtocol:String
ToPort:Integer
Properties
CidrIp
-
The IPv4 address range, in CIDR format.
You must specify exactly one of the following:
CidrIp
,CidrIpv6
,DestinationPrefixListId
, orDestinationSecurityGroupId
.For examples of rules that you can add to security groups for specific access scenarios, see Security group rules for different use cases in the Amazon EC2 User Guide.
Required: No
Type: String
Update requires: No interruption
CidrIpv6
-
The IPv6 address range, in CIDR format.
You must specify exactly one of the following:
CidrIp
,CidrIpv6
,DestinationPrefixListId
, orDestinationSecurityGroupId
.For examples of rules that you can add to security groups for specific access scenarios, see Security group rules for different use cases in the Amazon EC2 User Guide.
Required: No
Type: String
Update requires: No interruption
Description
-
A description for the security group rule.
Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*
Required: No
Type: String
Update requires: No interruption
DestinationPrefixListId
-
The prefix list IDs for the destination AWS service. This is the AWS service that you want to access through a VPC endpoint from instances associated with the security group.
You must specify exactly one of the following:
CidrIp
,CidrIpv6
,DestinationPrefixListId
, orDestinationSecurityGroupId
.Required: No
Type: String
Update requires: No interruption
DestinationSecurityGroupId
-
The ID of the destination VPC security group.
You must specify exactly one of the following:
CidrIp
,CidrIpv6
,DestinationPrefixListId
, orDestinationSecurityGroupId
.Required: No
Type: String
Update requires: No interruption
FromPort
-
If the protocol is TCP or UDP, this is the start of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP type or -1 (all ICMP types).
Required: No
Type: Integer
Update requires: No interruption
IpProtocol
-
The IP protocol name (
tcp
,udp
,icmp
,icmpv6
) or number (see Protocol Numbers). Use
-1
to specify all protocols. When authorizing security group rules, specifying-1
or a protocol number other thantcp
,udp
,icmp
, oricmpv6
allows traffic on all ports, regardless of any port range you specify. Fortcp
,udp
, andicmp
, you must specify a port range. Foricmpv6
, the port range is optional; if you omit the port range, traffic for all types and codes is allowed.Required: Yes
Type: String
Update requires: No interruption
ToPort
-
If the protocol is TCP or UDP, this is the end of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP code or -1 (all ICMP codes). If the start port is -1 (all ICMP types), then the end port must be -1 (all ICMP codes).
Required: No
Type: Integer
Update requires: No interruption