ALIYUN::CLOUDFW::ControlPolicy類型用于添加訪問控制策略。
語法
{
"Type": "ALIYUN::CLOUDFW::ControlPolicy",
"Properties": {
"ApplicationName": String,
"DestPortType": String,
"Direction": String,
"Destination": String,
"Description": String,
"Proto": String,
"AclAction": String,
"Source": String,
"SourceType": String,
"DestinationType": String,
"NewOrder": Integer,
"DestPort": String,
"RegionId": String,
"DestPortGroup": String,
"Release": Boolean,
"RepeatType": String,
"StartTime": Integer,
"RepeatEndTime": String,
"DomainResolveType": String,
"IpVersion": String,
"RepeatDays": List,
"EndTime": Integer,
"RepeatStartTime": String,
"ApplicationNameList": List
}
}
屬性
屬性名稱 | 類型 | 必須 | 允許更新 | 描述 | 約束 |
AclAction | String | 是 | 是 | 訪問控制策略中設置的流量通過云防火墻的方式。 | 取值:
|
ApplicationName | String | 否 | 是 | 安全策略支持的應用類型。 | 取值:
|
Description | String | 是 | 是 | 安全訪問控制策略的描述信息。 | 無 |
Destination | String | 是 | 是 | 安全訪問控制策略中的目的地址。 | 取值:
|
DestinationType | String | 是 | 是 | 安全訪問控制策略中的目的地址類型。 | 取值:
|
Direction | String | 是 | 否 | 安全訪問控制策略的流量方向。 | 取值:
|
NewOrder | Integer | 是 | 是 | 安全訪問控制策略生效的優先級。 | 優先級數字從1開始順序遞增,優先級數字越大,優先級越低。 重要 1表示優先級最高,-1表示優先級最低。 |
Proto | String | 是 | 是 | 安全訪問控制策略中流量訪問的安全協議類型。 | 取值:
|
Source | String | 是 | 是 | 安全訪問控制策略中的源地址。 | 取值:
|
SourceType | String | 是 | 是 | 安全訪問控制策略中的源地址類型。 | 取值:
|
DestPort | String | 否 | 是 | 安全訪問控制策略中流量訪問的目的端口。 | 當DestPortType為port時,設置該項。 |
DestPortGroup | String | 否 | 是 | 安全訪問控制策略中流量訪問的目的端口地址簿名稱。 | 當DestPortType為group時,設置該參數。 |
DestPortType | String | 否 | 是 | 安全訪問控制策略中流量訪問的目的端口類型。 | 取值:
|
RegionId | String | 否 | 否 | 地域。 | 取值:
|
Release | Boolean | 否 | 否 | 訪問控制策略的啟用狀態。 | 策略創建后默認啟用該策略。取值:
|
RepeatType | String | 否 | 否 | 訪問控制策略的策略有效期的重復類型。 | 取值:
|
StartTime | Integer | 否 | 否 | 訪問控制策略的策略有效期的開始時間。 | 使用秒級時間戳格式表示。必須為整點或半點時間,且小于結束時間至少半小時。 說明 當 RepeatType 為 Permanent 時,StartTime 為空。當 RepeatType 為 None、Daily、Weekly、Monthly 時,StartTime 必須有值,您需要設置開始時間。 |
RepeatEndTime | String | 否 | 否 | 訪問控制策略的策略有效期的重復結束時間。 | 例如:23:30,必須為整點或半點時間,且大于重復開始時間至少半小時。 說明 當 RepeatType 為 Permanent、None 時,RepeatEndTime 為空。當 RepeatType 為 Daily、Weekly、Monthly 時,RepeatEndTime 必須有值,您需要設置重復結束時間。 |
DomainResolveType | String | 否 | 否 | 訪問控制策略的域名解析方式。 | 策略創建后默認啟用該策略。取值:
|
IpVersion | String | 否 | 否 | 云防火墻防護的資產的 IP 版本。 | 取值:
|
RepeatDays | List | 否 | 否 | 訪問控制策略的策略有效期的重復日期集合。 |
說明 RepeatType 設置為 Weekly 時,RepeatDays 不允許重復。
說明 RepeatType 設置為 Monthly 時,RepeatDays 不允許重復。 |
EndTime | Integer | 否 | 否 | 訪問控制策略的策略有效期的結束時間。 | 使用秒級時間戳格式表示。必須為整點或半點時間,且大于開始時間至少半小時。 說明 當 RepeatType 為 Permanent 時,EndTime 為空。當 RepeatType 為 None、Daily、Weekly、Monthly 時,EndTime 必須有值,您需要設置結束時間。 |
RepeatStartTime | String | 否 | 否 | 訪問控制策略的策略有效期的重復開始時間。 | 例如:08:00,必須為整點或半點時間,且小于重復結束時間至少半小時。 說明 當 RepeatType 為 Permanent、None 時,RepeatStartTime 為空。當 RepeatType 為 Daily、Weekly、Monthly 時,RepeatStartTime 必須有值,您需要設置重復開始時間。 |
ApplicationNameList | List | 否 | 否 | 應用名稱。 | 無 |
地區編號
中國和海外地區編號
地區 | 編號 |
中國 | ZD |
海外 | ZB |
中國編號
地區 | 編號 |
北京市 | BJ11 |
天津市 | TJ12 |
河北省 | HB13 |
山西省 | SX14 |
遼寧省 | LN21 |
吉林省 | JL22 |
上海市 | SH31 |
江蘇省 | JS32 |
浙江省 | ZJ33 |
安徽省 | AH34 |
福建省 | FJ35 |
江西省 | JX36 |
山東省 | SD37 |
河南省 | HN41 |
湖北省 | HB42 |
湖南省 | HN43 |
廣東省 | GD44 |
海南省 | HN46 |
重慶市 | CQ50 |
四川省 | SC51 |
貴州省 | GZ52 |
云南省 | YN53 |
陜西省 | SX61 |
甘肅省 | GS62 |
青海省 | QH63 |
黑龍江省 | HLJ23 |
西藏自治區 | XZ54 |
廣西壯族自治區 | GX45 |
內蒙古自治區 | NMG15 |
寧夏回族自治區 | NX64 |
新疆維吾爾自治區 | XJ65 |
中國臺灣 | TW |
中國香港特別行政區 | HK |
中國澳門特別行政區 | MO |
海外地區編號
地區 | 編號 |
亞洲(中國除外) | ZC |
歐洲 | EU |
非洲 | AF |
北美洲 | NA |
南美洲 | LA |
大洋洲 | OA |
南極洲 | AQ |
返回值
Fn::GetAtt
AclUuid:安全訪問控制策略的唯一標識ID。
示例
YAML
格式
ROSTemplateFormatVersion: '2015-09-01'
Resources:
ControlPolicy:
Type: ALIYUN::CLOUDFW::ControlPolicy
Properties:
ApplicationName:
Ref: ApplicationName
DestPortType:
Ref: DestPortType
Direction:
Ref: Direction
AclAction:
Ref: AclAction
Description:
Ref: Description
Proto:
Ref: Proto
Destination:
Ref: Destination
Source:
Ref: Source
DestinationType:
Ref: DestinationType
NewOrder:
Ref: NewOrder
DestPortGroup:
Ref: DestPortGroup
DestPort:
Ref: DestPort
RegionId:
Ref: RegionId
SourceType:
Ref: SourceType
Parameters:
ApplicationName:
Type: String
Description: 'Application types supported by the security policy. The following
types of applications are supported: ANY, HTTP, HTTPS, MySQL, SMTP, SMTPS, RDP,
VNC, SSH, Redis, MQTT, MongoDB, Memcache, SSL. NOTE ANY indicates that the policy
is applied to all types of applications.'
AllowedValues:
- ANY
- HTTP
- HTTPS
- MQTT
- Memcache
- MongoDB
- MySQL
- RDP
- Redis
- SMTP
- SMTPS
- SSH
- SSL
- VNC
DestPortType:
Type: String
Description: 'Security access control policy access destination port traffic type.
port: Port group: port address book'
AllowedValues:
- group
- port
Direction:
Type: String
Description: 'Security access control traffic direction policies. in: internal
and external traffic access control. out: within the flow of external access
control'
AllowedValues:
- in
- out
AclAction:
Type: String
Description: 'Traffic access control policy set by the cloud of a firewall. accept:
Release. drop: rejected. log: Observation'
AllowedValues:
- accept
- drop
- log
Description:
MinLength: 1
Type: String
Description: Security access control policy description information.
Proto:
Type: String
Description: 'The type of security protocol for traffic access in the security
access control policy. Can be set to ANY when you are not sure of the specific
protocol type. Allowed values: ANY, TCP, UDP, ICMP'
AllowedValues:
- ANY
- ICMP
- TCP
- UDP
Destination:
MinLength: 1
Type: String
Description: 'Security Access Control destination address policy. When DestinationType
is net, Destination purpose CIDR. For example: 192.168.XX.XX/24. When DestinationType
as a group, Destination for the purpose of the address book name. For example:
db_group. When DestinationType for the domain, Destination for the purpose of
a domain name. For example:. * example.com. When DestinationType as location,
Destination area for the purpose (see below position encoding specific regions).
For example: [ "BJ11", "ZB"]'
Source:
MinLength: 1
Type: String
Description: 'Security access control source address policy. When SourceType for
the net, Source is the source CIDR. For example: 192.168.XX.XX/24. When SourceType
as a group, Source name for the source address book. For example: db_group.
When SourceType as location, Source source region (specific region position
encoder see below). For example, [ "BJ11", "ZB"]'
DestinationType:
Type: String
Description: 'Security Access Control destination address type of policy. net:
Destination network segment (CIDR). group: destination address book. domain:
The purpose domain. location: The purpose area'
AllowedValues:
- domain
- group
- location
- net
NewOrder:
Type: Number
Description: Security access control priority policy in force. Priority number
increments sequentially from 1, lower the priority number, the higher the priority.
Description -1 indicates the lowest priority.
MinValue: -1
DestPortGroup:
Type: String
Description: Security access control policy access traffic destination port address
book name. Description DestPortType is group, set the item.
DestPort:
Type: String
Description: Security access control policy access traffic destination port. Note
When DestPortType to port, set the item.
RegionId:
Default: cn-hangzhou
Type: String
Description: Region ID. Default to cn-hangzhou.
AllowedValues:
- cn-hangzhou
- ap-southeast-1
SourceType:
Type: String
Description: 'Security access control source address type of policy. net: Source
segment (CIDR). group: source address book. location: the source area'
AllowedValues:
- group
- location
- net
Outputs:
AclUuid:
Description: Security access control ID that uniquely identifies the policy.
Value:
Fn::GetAtt:
- ControlPolicy
- AclUuid
JSON
格式
{
"ROSTemplateFormatVersion": "2015-09-01",
"Resources": {
"ControlPolicy": {
"Type": "ALIYUN::CLOUDFW::ControlPolicy",
"Properties": {
"ApplicationName": {
"Ref": "ApplicationName"
},
"DestPortType": {
"Ref": "DestPortType"
},
"Direction": {
"Ref": "Direction"
},
"AclAction": {
"Ref": "AclAction"
},
"Description": {
"Ref": "Description"
},
"Proto": {
"Ref": "Proto"
},
"Destination": {
"Ref": "Destination"
},
"Source": {
"Ref": "Source"
},
"DestinationType": {
"Ref": "DestinationType"
},
"NewOrder": {
"Ref": "NewOrder"
},
"DestPortGroup": {
"Ref": "DestPortGroup"
},
"DestPort": {
"Ref": "DestPort"
},
"RegionId": {
"Ref": "RegionId"
},
"SourceType": {
"Ref": "SourceType"
}
}
}
},
"Parameters": {
"ApplicationName": {
"Type": "String",
"Description": "Application types supported by the security policy. The following types of applications are supported: ANY, HTTP, HTTPS, MySQL, SMTP, SMTPS, RDP, VNC, SSH, Redis, MQTT, MongoDB, Memcache, SSL. NOTE ANY indicates that the policy is applied to all types of applications.",
"AllowedValues": [
"ANY",
"HTTP",
"HTTPS",
"MQTT",
"Memcache",
"MongoDB",
"MySQL",
"RDP",
"Redis",
"SMTP",
"SMTPS",
"SSH",
"SSL",
"VNC"
]
},
"DestPortType": {
"Type": "String",
"Description": "Security access control policy access destination port traffic type. port: Port group: port address book",
"AllowedValues": [
"group",
"port"
]
},
"Direction": {
"Type": "String",
"Description": "Security access control traffic direction policies. in: internal and external traffic access control. out: within the flow of external access control",
"AllowedValues": [
"in",
"out"
]
},
"AclAction": {
"Type": "String",
"Description": "Traffic access control policy set by the cloud of a firewall. accept: Release. drop: rejected. log: Observation",
"AllowedValues": [
"accept",
"drop",
"log"
]
},
"Description": {
"MinLength": 1,
"Type": "String",
"Description": "Security access control policy description information."
},
"Proto": {
"Type": "String",
"Description": "The type of security protocol for traffic access in the security access control policy. Can be set to ANY when you are not sure of the specific protocol type. Allowed values: ANY, TCP, UDP, ICMP",
"AllowedValues": [
"ANY",
"ICMP",
"TCP",
"UDP"
]
},
"Destination": {
"MinLength": 1,
"Type": "String",
"Description": "Security Access Control destination address policy. When DestinationType is net, Destination purpose CIDR. For example: 192.168.XX.XX/24. When DestinationType as a group, Destination for the purpose of the address book name. For example: db_group. When DestinationType for the domain, Destination for the purpose of a domain name. For example:. * example.com. When DestinationType as location, Destination area for the purpose (see below position encoding specific regions). For example: [ \"BJ11\", \"ZB\"]"
},
"Source": {
"MinLength": 1,
"Type": "String",
"Description": "Security access control source address policy. When SourceType for the net, Source is the source CIDR. For example: 192.168.XX.XX/24. When SourceType as a group, Source name for the source address book. For example: db_group. When SourceType as location, Source source region (specific region position encoder see below). For example, [ \"BJ11\", \"ZB\"]"
},
"DestinationType": {
"Type": "String",
"Description": "Security Access Control destination address type of policy. net: Destination network segment (CIDR). group: destination address book. domain: The purpose domain. location: The purpose area",
"AllowedValues": [
"domain",
"group",
"location",
"net"
]
},
"NewOrder": {
"Type": "Number",
"Description": "Security access control priority policy in force. Priority number increments sequentially from 1, lower the priority number, the higher the priority. Description -1 indicates the lowest priority.",
"MinValue": -1
},
"DestPortGroup": {
"Type": "String",
"Description": "Security access control policy access traffic destination port address book name. Description DestPortType is group, set the item."
},
"DestPort": {
"Type": "String",
"Description": "Security access control policy access traffic destination port. Note When DestPortType to port, set the item."
},
"RegionId": {
"Default": "cn-hangzhou",
"Type": "String",
"Description": "Region ID. Default to cn-hangzhou.",
"AllowedValues": [
"cn-hangzhou",
"ap-southeast-1"
]
},
"SourceType": {
"Type": "String",
"Description": "Security access control source address type of policy. net: Source segment (CIDR). group: source address book. location: the source area",
"AllowedValues": [
"group",
"location",
"net"
]
}
},
"Outputs": {
"AclUuid": {
"Description": "Security access control ID that uniquely identifies the policy.",
"Value": {
"Fn::GetAtt": [
"ControlPolicy",
"AclUuid"
]
}
}
}
}