AWS::EC2::SecurityGroupEgress
The AWS::EC2::SecurityGroupEgress resource adds an egress rule to an Amazon VPC
security group. When you use the AWS::EC2::SecurityGroupEgress resource, the default rule is removed from the
security group.
Important
Use AWS::EC2::SecurityGroupIngress and
AWS::EC2::SecurityGroupEgress only when necessary, typically to allow
security groups to reference each other in ingress and egress rules. Otherwise, use
the
embedded ingress and egress rules of AWS::EC2::SecurityGroup. For more information, see Amazon EC2 Security
Groups.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::EC2::SecurityGroupEgress", "Properties" : { "CidrIp" :String, "CidrIpv6" :String, "Description" :String, "DestinationPrefixListId" :String, "DestinationSecurityGroupId" :String, "FromPort" :Integer, "GroupId" :String, "IpProtocol" :String, "ToPort" :Integer} }
YAML
Type: AWS::EC2::SecurityGroupEgress Properties: CidrIp:StringCidrIpv6:StringDescription:StringDestinationPrefixListId:StringDestinationSecurityGroupId:StringFromPort:IntegerGroupId:StringIpProtocol:StringToPort:Integer
Properties
For more information about adding egress rules to VPC security groups, go to AuthorizeSecurityGroupEgress in the Amazon EC2 API Reference.
Note
If you change this resource's logical ID, you must also update a property value in order to trigger an update for this resource.
CidrIp-
An IPv4 CIDR range.
Required: Conditional. You must specify a destination security group (
DestinationPrefixListIdorDestinationSecurityGroupId) or a CIDR range (CidrIporCidrIpv6).Type: String
Update requires: Replacement
CidrIpv6-
An IPv6 CIDR range.
Type: String
Required: Conditional. You must specify a destination security group (
DestinationPrefixListIdorDestinationSecurityGroupId) or a CIDR range (CidrIporCidrIpv6).Update requires: Replacement
Description-
Description of the egress rule.
Required: No
Type: String
Update requires: No interruption
DestinationPrefixListId-
The AWS service prefix of an Amazon VPC endpoint. For more information, see VPC Endpoints in the Amazon VPC User Guide.
Required: Conditional. You must specify a destination security group (
DestinationPrefixListIdorDestinationSecurityGroupId) or a CIDR range (CidrIporCidrIpv6).Type: String
Update requires: Replacement
DestinationSecurityGroupId-
Specifies the group ID of the destination Amazon VPC security group.
Required: Conditional. You must specify a destination security group (
DestinationPrefixListIdorDestinationSecurityGroupId) or a CIDR range (CidrIporCidrIpv6).Type: String
Update requires: Replacement
FromPort-
Start of port range for the TCP and UDP protocols, or an ICMP type number. If you specify
icmpfor theIpProtocolproperty, you can specify -1 as a wildcard (i.e., any ICMP type number).Required: Yes
Type: Integer
Update requires: Replacement
GroupId-
ID of the Amazon VPC security group to modify. This value can be a reference to an AWS::EC2::SecurityGroup resource that has a valid
VpcIdproperty or the ID of an existing Amazon VPC security group.Required: Yes
Type: String
Update requires: Replacement
IpProtocol-
IP protocol name or number. For valid values, see the IpProtocol parameter in AuthorizeSecurityGroupIngress
Required: Yes
Type: String
Update requires: Replacement
ToPort-
End of port range for the TCP and UDP protocols, or an ICMP code. If you specify
icmpfor theIpProtocolproperty, you can specify -1 as a wildcard (i.e., any ICMP code).Required: Yes
Type: Integer
Update requires: Replacement
Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic
function, Ref returns the resource name.
For more information about using the Ref function, see Ref.
VPC Security Groups Example
In some cases, you might have an originating (source) security group to which you
want
to add an outbound rule that allows traffic to a destination (target) security group.
The
target security group also needs an inbound rule that allows traffic from the source
security
group. Note that you cannot use the Ref function to specify the outbound and
inbound rules for each security group. Doing so creates a circular dependency; you
cannot have
two resources that depend on each other. Instead, use the egress and ingress resources
to
declare these outbound and inbound rules, as shown in the following template snippet.
JSON
{ "AWSTemplateFormatVersion": "2010-09-09", "Resources": { "SourceSG": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "VpcId" : "vpc-1a2b3c4d", "GroupDescription": "Sample source security group" } }, "TargetSG": { "Type": "AWS::EC2::SecurityGroup", "Properties": { "VpcId" : "vpc-1a2b3c4d", "GroupDescription": "Sample target security group" } }, "OutboundRule": { "Type": "AWS::EC2::SecurityGroupEgress", "Properties":{ "IpProtocol": "tcp", "FromPort": 0, "ToPort": 65535, "DestinationSecurityGroupId": { "Fn::GetAtt": [ "TargetSG", "GroupId" ] }, "GroupId": { "Fn::GetAtt": [ "SourceSG", "GroupId" ] } } }, "InboundRule": { "Type": "AWS::EC2::SecurityGroupIngress", "Properties":{ "IpProtocol": "tcp", "FromPort": 0, "ToPort": 65535, "SourceSecurityGroupId": { "Fn::GetAtt": [ "SourceSG", "GroupId" ] }, "GroupId": { "Fn::GetAtt": [ "TargetSG", "GroupId" ] } } } } }
YAML
AWSTemplateFormatVersion: '2010-09-09' Resources: SourceSG: Type: AWS::EC2::SecurityGroup Properties: VpcId: vpc-1a2b3c4d GroupDescription: Sample source security group TargetSG: Type: AWS::EC2::SecurityGroup Properties: VpcId: vpc-1a2b3c4d GroupDescription: Sample target security group OutboundRule: Type: AWS::EC2::SecurityGroupEgress Properties: IpProtocol: tcp FromPort: 0 ToPort: 65535 DestinationSecurityGroupId: Fn::GetAtt: - TargetSG - GroupId GroupId: Fn::GetAtt: - SourceSG - GroupId InboundRule: Type: AWS::EC2::SecurityGroupIngress Properties: IpProtocol: tcp FromPort: 0 ToPort: 65535 SourceSecurityGroupId: Fn::GetAtt: - SourceSG - GroupId GroupId: Fn::GetAtt: - TargetSG - GroupId
