AWS::NetworkFirewall::RuleGroup
Use the AWS::NetworkFirewall::RuleGroup to define a reusable collection of stateless or stateful network traffic filtering rules. You use rule groups in an AWS::NetworkFirewall::FirewallPolicy to specify the filtering behavior of an AWS::NetworkFirewall::Firewall.
Syntax
To declare this entity in your Amazon CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::NetworkFirewall::RuleGroup", "Properties" : { "Capacity" :Integer, "Description" :String, "RuleGroup" :RuleGroup, "RuleGroupName" :String, "Tags" :[ Tag, ... ], "Type" :String} }
YAML
Type: AWS::NetworkFirewall::RuleGroup Properties: Capacity:IntegerDescription:StringRuleGroup:RuleGroupRuleGroupName:StringTags:- TagType:String
Properties
Capacity-
The maximum operating resources that this rule group can use. You can't change a rule group's capacity setting after you create the rule group. When you update a rule group, you are limited to this capacity. When you reference a rule group from a firewall policy, Network Firewall reserves this capacity for the rule group.
Required: Yes
Type: Integer
Update requires: Replacement
Description-
A description of the rule group.
Required: No
Type: String
Maximum:
512Pattern:
^.*$Update requires: No interruption
RuleGroup-
An object that defines the rule group rules.
Required: No
Type: RuleGroup
Update requires: No interruption
RuleGroupName-
The descriptive name of the rule group. You can't change the name of a rule group after you create it.
Required: Yes
Type: String
Minimum:
1Maximum:
128Pattern:
^[a-zA-Z0-9-]+$Update requires: Replacement
Tags-
An array of key-value pairs to apply to this resource.
For more information, see Tag.
Required: No
Type: List of Tag
Maximum:
200Update requires: No interruption
Type-
Indicates whether the rule group is stateless or stateful. If the rule group is stateless, it contains stateless rules. If it is stateful, it contains stateful rules.
Required: Yes
Type: String
Allowed values:
STATEFUL | STATELESSUpdate requires: Replacement
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Reffunction, Refreturns the Amazon Resource Name (ARN) of the rule group. For example:
{ "Ref": "arn:aws:network-firewall:us-east-1:012345678901:stateful-rulegroup/myStatefulRuleGroupName" }
For more information about using the Reffunction, see Ref.
Fn::GetAtt
The Fn::GetAttintrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.
For more information about using the Fn::GetAttintrinsic function, see Fn::GetAtt.
RuleGroupArn-
The Amazon Resource Name (ARN) of the AWS::NetworkFirewall::RuleGroup.
RuleGroupId-
The unique ID of the AWS::NetworkFirewall::RuleGroup resource.
Examples
Create a stateful rule group
The following shows example stateful rule group specifications.
JSON
"SampleStatefulRulegroup": { "Type": "AWS::NetworkFirewall::RuleGroup", "Properties": { "RuleGroupName": "SampleStatefulRulegroupName", "Type": "STATEFUL", "RuleGroup": { "RulesSource": { "RulesString": "pass tcp 10.20.20.0/24 45400:45500 <> 10.10.10.0/24 5203 (msg:\"test\";sid:1;rev:1;)" } }, "Capacity": 100, "Description": "Rulegroup description goes here", "Tags": [ { "Key": "Foo", "Value": "Bar" } ] } }
YAML
SampleStatefulRulegroup: Type: 'AWS::NetworkFirewall::RuleGroup' Properties: RuleGroupName: SampleStatefulRulegroupName Type: STATEFUL RuleGroup: RulesSource: RulesString: >- pass tcp 10.20.20.0/24 45400:45500 <> 10.10.10.0/24 5203 (msg:"test";sid:1;rev:1;) Capacity: 100 Description: Rulegroup description goes here Tags: - Key: Foo Value: Bar
Create a stateless rule group
The following shows example stateless rule group specifications.
JSON
"SampleStatelessRulegroup": { "Type": "AWS::NetworkFirewall::RuleGroup", "Properties": { "RuleGroupName": "SampleStatelessRulegroupName", "Type": "STATELESS", "RuleGroup": { "RulesSource": { "StatelessRulesAndCustomActions": { "StatelessRules": [ { "RuleDefinition": { "MatchAttributes": { "Sources": [ { "AddressDefinition": "0.0.0.0/0" } ], "Destinations": [ { "AddressDefinition": "10.0.0.0/8" } ], "SourcePorts": [ { "FromPort": 15000 }, { "ToPort": 30000 } ], "DestinationPorts": [ { "FromPort": 443 }, { "ToPort": 443 } ], "Protocols": [ 6 ] }, "Actions": [ "aws:pass" ] }, "Priority": 1 } ] } } }, "Capacity": 100, "Description": "Rulegroup description goes here", "Tags": [ { "Key": "Foo", "Value": "Bar" } ] } }
YAML
SampleStatelessRulegroup: Type: 'AWS::NetworkFirewall::RuleGroup' Properties: RuleGroupName: SampleStatelessRulegroupName Type: STATELESS RuleGroup: RulesSource: StatelessRulesAndCustomActions: StatelessRules: - RuleDefinition: MatchAttributes: Sources: - AddressDefinition: 0.0.0.0/0 Destinations: - AddressDefinition: 10.0.0.0/8 SourcePorts: - FromPort: 15000 ToPort: 30000 DestinationPorts: - FromPort: 443 ToPort: 443 Protocols: - 6 Actions: - 'aws:pass' Priority: 1 Capacity: 100 Description: Rulegroup description goes here Tags: - Key: Foo Value: Bar