This is the new AWS CloudFormation Template Reference Guide. Please update your bookmarks and links. For help getting started with CloudFormation, see the AWS CloudFormation User Guide.
AWS::EC2::SecurityGroup Egress
Adds the specified outbound (egress) rule to a security group.
An outbound rule permits instances to send traffic to the specified IPv4 or IPv6 address range, the IP address ranges that are specified by a prefix list, or the instances that are associated with a destination security group. For more information, see Security group rules.
You must specify exactly one of the following destinations: an IPv4 address range, an IPv6 address range, a prefix list, or a security group.
You must specify a protocol for each rule (for example, TCP). If the protocol is TCP or UDP, you must also specify a port or port range. If the protocol is ICMP or ICMPv6, you must also specify the ICMP/ICMPv6 type and code.
Rule changes are propagated to instances associated with the security group as quickly as possible. However, a small delay might occur.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "CidrIp" :String, "CidrIpv6" :String, "Description" :String, "DestinationPrefixListId" :String, "DestinationSecurityGroupId" :String, "FromPort" :Integer, "IpProtocol" :String, "ToPort" :Integer}
YAML
CidrIp:StringCidrIpv6:StringDescription:StringDestinationPrefixListId:StringDestinationSecurityGroupId:StringFromPort:IntegerIpProtocol:StringToPort:Integer
Properties
CidrIp-
The IPv4 address range, in CIDR format.
You must specify exactly one of the following:
CidrIp,CidrIpv6,DestinationPrefixListId, orDestinationSecurityGroupId.For examples of rules that you can add to security groups for specific access scenarios, see Security group rules for different use cases in the Amazon EC2 User Guide.
Required: No
Type: String
Update requires: No interruption
CidrIpv6-
The IPv6 address range, in CIDR format.
You must specify exactly one of the following:
CidrIp,CidrIpv6,DestinationPrefixListId, orDestinationSecurityGroupId.For examples of rules that you can add to security groups for specific access scenarios, see Security group rules for different use cases in the Amazon EC2 User Guide.
Required: No
Type: String
Update requires: No interruption
Description-
A description for the security group rule.
Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*
Required: No
Type: String
Update requires: No interruption
DestinationPrefixListId-
The prefix list IDs for the destination AWS service. This is the AWS service that you want to access through a VPC endpoint from instances associated with the security group.
You must specify exactly one of the following:
CidrIp,CidrIpv6,DestinationPrefixListId, orDestinationSecurityGroupId.Required: No
Type: String
Update requires: No interruption
DestinationSecurityGroupId-
The ID of the destination VPC security group.
You must specify exactly one of the following:
CidrIp,CidrIpv6,DestinationPrefixListId, orDestinationSecurityGroupId.Required: No
Type: String
Update requires: No interruption
FromPort-
If the protocol is TCP or UDP, this is the start of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP type or -1 (all ICMP types).
Required: No
Type: Integer
Update requires: No interruption
IpProtocol-
The IP protocol name (
tcp,udp,icmp,icmpv6) or number (see Protocol Numbers). Use
-1to specify all protocols. When authorizing security group rules, specifying-1or a protocol number other thantcp,udp,icmp, oricmpv6allows traffic on all ports, regardless of any port range you specify. Fortcp,udp, andicmp, you must specify a port range. Foricmpv6, the port range is optional; if you omit the port range, traffic for all types and codes is allowed.Required: Yes
Type: String
Update requires: No interruption
ToPort-
If the protocol is TCP or UDP, this is the end of the port range. If the protocol is ICMP or ICMPv6, this is the ICMP code or -1 (all ICMP codes). If the start port is -1 (all ICMP types), then the end port must be -1 (all ICMP codes).
Required: No
Type: Integer
Update requires: No interruption
