AWS::EC2::SecurityGroupEgress
Adds the specified egress rules to a security group.
An outbound rule permits instances to send traffic to the specified destination IPv4 or IPv6 CIDR address ranges, or to the specified destination security groups for the same VPC.
You specify a protocol for each rule (for example, TCP). For the TCP and UDP protocols, you must also specify the destination port or port range. For the ICMP protocol, you must also specify the ICMP type and code. You can use -1 for the type or code to mean all types or all codes.
You must specify only one of the following properties: CidrIp,
CidrIpv6, DestinationPrefixListId, or
DestinationSecurityGroupId.
You must specify a destination security group (DestinationPrefixListId or
DestinationSecurityGroupId) or a CIDR range (CidrIp or
CidrIpv6). If you do not specify one of these parameters, the stack will
launch successfully but the rule will not be added to the security group.
Rule changes are propagated to affected instances as quickly as possible. However, a small delay might occur.
For more information about VPC security group limits, see Amazon VPC Limits.
Use AWS::EC2::SecurityGroupIngress and
AWS::EC2::SecurityGroupEgress only when necessary, typically to allow
security groups to reference each other in ingress and egress rules. Otherwise, use the
embedded ingress and egress rules of the security group. For more information, see Amazon
EC2 Security Groups.
Syntax
To declare this entity in your Amazon CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::EC2::SecurityGroupEgress", "Properties" : { "CidrIp" :String, "CidrIpv6" :String, "Description" :String, "DestinationPrefixListId" :String, "DestinationSecurityGroupId" :String, "FromPort" :Integer, "GroupId" :String, "IpProtocol" :String, "ToPort" :Integer} }
YAML
Type: AWS::EC2::SecurityGroupEgress Properties: CidrIp:StringCidrIpv6:StringDescription:StringDestinationPrefixListId:StringDestinationSecurityGroupId:StringFromPort:IntegerGroupId:StringIpProtocol:StringToPort:Integer
Properties
CidrIp-
The IPv4 address range, in CIDR format.
You must specify a destination security group (
DestinationPrefixListIdorDestinationSecurityGroupId) or a CIDR range (CidrIporCidrIpv6).For examples of rules that you can add to security groups for specific access scenarios, see Security group rules for different use cases in the Amazon EC2 User Guide.
Required: No
Type: String
Update requires: Replacement
CidrIpv6-
The IPv6 address range, in CIDR format.
You must specify a destination security group (
DestinationPrefixListIdorDestinationSecurityGroupId) or a CIDR range (CidrIporCidrIpv6).For examples of rules that you can add to security groups for specific access scenarios, see Security group rules for different use cases in the Amazon EC2 User Guide.
Required: No
Type: String
Update requires: Replacement
Description-
The description of an egress (outbound) security group rule.
Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*
Required: No
Type: String
Update requires: No interruption
DestinationPrefixListId-
The prefix list IDs for an Amazon service. This is the Amazon service that you want to access through a VPC endpoint from instances associated with the security group.
You must specify a destination security group (
DestinationPrefixListIdorDestinationSecurityGroupId) or a CIDR range (CidrIporCidrIpv6).Required: No
Type: String
Update requires: Replacement
DestinationSecurityGroupId-
The ID of the security group.
You must specify a destination security group (
DestinationPrefixListIdorDestinationSecurityGroupId) or a CIDR range (CidrIporCidrIpv6).Required: No
Type: String
Update requires: Replacement
FromPort-
If the protocol is TCP or UDP, this is the start of the port range. If the protocol is ICMP or ICMPv6, this is the type number. A value of -1 indicates all ICMP/ICMPv6 types. If you specify all ICMP/ICMPv6 types, you must specify all ICMP/ICMPv6 codes.
Required: No
Type: Integer
Update requires: Replacement
GroupId-
The ID of the security group. You must specify either the security group ID or the security group name in the request. For security groups in a nondefault VPC, you must specify the security group ID.
Required: Yes
Type: String
Update requires: Replacement
IpProtocol-
The IP protocol name (
tcp,udp,icmp,icmpv6) or number (see Protocol Numbers). Use
-1to specify all protocols. When authorizing security group rules, specifying-1or a protocol number other thantcp,udp,icmp, oricmpv6allows traffic on all ports, regardless of any port range you specify. Fortcp,udp, andicmp, you must specify a port range. Foricmpv6, the port range is optional; if you omit the port range, traffic for all types and codes is allowed.Required: Yes
Type: String
Update requires: Replacement
ToPort-
If the protocol is TCP or UDP, this is the end of the port range. If the protocol is ICMP or ICMPv6, this is the code. A value of -1 indicates all ICMP/ICMPv6 codes. If you specify all ICMP/ICMPv6 types, you must specify all ICMP/ICMPv6 codes.
Required: No
Type: Integer
Update requires: Replacement
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Reffunction, Refreturns the name of the security egress rule.
For more information about using the Reffunction, see Ref.
Examples
VPC security groups with egress and ingress rules
In some cases, you might have an originating (source) security group to which you
want to add an outbound rule that allows traffic to a destination (target) security
group. The target security group also needs an inbound rule that allows traffic from
the source security group. Note that you cannot use the Ref function to
specify the outbound and inbound rules for each security group. Doing so creates a
circular dependency; you cannot have two resources that depend on each other.
Instead, use the egress and ingress resources to declare these outbound and inbound
rules, as shown in the following template example.
JSON
"SourceSG": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "VpcId" : "vpc-1a2b3c4d", "GroupDescription": "Sample source security group" } }, "TargetSG": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "VpcId" : "vpc-1a2b3c4d", "GroupDescription": "Sample target security group" } }, "OutboundRule": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties":{ "IpProtocol": "tcp", "FromPort": 0, "ToPort": 65535, "DestinationSecurityGroupId": { "Fn::GetAtt": [ "TargetSG", "GroupId" ] }, "GroupId": { "Fn::GetAtt": [ "SourceSG", "GroupId" ] } } }, "InboundRule": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties":{ "IpProtocol": "tcp", "FromPort": 0, "ToPort": 65535, "SourceSecurityGroupId": { "Fn::GetAtt": [ "SourceSG", "GroupId" ] }, "GroupId": { "Fn::GetAtt": [ "TargetSG", "GroupId" ] } } }
YAML
SourceSG: Type: AWS::EC2::SecurityGroup Properties: VpcId: vpc-1a2b3c4d GroupDescription: Sample source security group TargetSG: Type: AWS::EC2::SecurityGroup Properties: VpcId: vpc-1a2b3c4d GroupDescription: Sample target security group OutboundRule: Type: AWS::EC2::SecurityGroupEgress Properties: IpProtocol: tcp FromPort: 0 ToPort: 65535 DestinationSecurityGroupId: Fn::GetAtt: - TargetSG - GroupId GroupId: Fn::GetAtt: - SourceSG - GroupId InboundRule: Type: AWS::EC2::SecurityGroupIngress Properties: IpProtocol: tcp FromPort: 0 ToPort: 65535 SourceSecurityGroupId: Fn::GetAtt: - SourceSG - GroupId GroupId: Fn::GetAtt: - TargetSG - GroupId