interface EgressProperty
| Language | Type name |
|---|---|
 .NET | Amazon.CDK.AWS.EC2.CfnSecurityGroup.EgressProperty |
 Java | software.amazon.awscdk.services.ec2.CfnSecurityGroup.EgressProperty |
 Python | aws_cdk.aws_ec2.CfnSecurityGroup.EgressProperty |
 TypeScript | @aws-cdk/aws-ec2 » CfnSecurityGroup » EgressProperty |
Adds the specified egress rules to a security group for use with a VPC.
An outbound rule permits instances to send traffic to the specified destination IPv4 or IPv6 CIDR address ranges, or to the specified destination security groups for the same VPC.
You specify a protocol for each rule (for example, TCP). For the TCP and UDP protocols, you must also specify the destination port or port range. For the ICMP protocol, you must also specify the ICMP type and code. You can use -1 for the type or code to mean all types or all codes.
You must specify only one of the following properties: CidrIp , CidrIpv6 , DestinationPrefixListId , or DestinationSecurityGroupId .
You must specify a destination security group ( DestinationPrefixListId or DestinationSecurityGroupId ) or a CIDR range ( CidrIp or CidrIpv6 ). If you do not specify one of these parameters, the stack will launch successfully but the rule will not be added to the security group.
Rule changes are propagated to affected instances as quickly as possible. However, a small delay might occur.
For more information about VPC security group limits, see Amazon VPC Limits .
Use SecurityGroup.Ingress and SecurityGroup.Egress only when necessary, typically to allow security groups to reference each other in ingress and egress rules. Otherwise, use the embedded ingress and egress rules of the security group. For more information, see Amazon EC2 Security Groups .
The EC2 Security Group Rule is an embedded property of the AWS::EC2::SecurityGroup type.
Example
// The code below shows an example of how to instantiate this type.
// The values are placeholders you should change.
import * as ec2 from '@aws-cdk/aws-ec2';
const egressProperty: ec2.CfnSecurityGroup.EgressProperty = {
ipProtocol: 'ipProtocol',
// the properties below are optional
cidrIp: 'cidrIp',
cidrIpv6: 'cidrIpv6',
description: 'description',
destinationPrefixListId: 'destinationPrefixListId',
destinationSecurityGroupId: 'destinationSecurityGroupId',
fromPort: 123,
toPort: 123,
};
Properties
| Name | Type | Description |
|---|---|---|
| ip | string | The IP protocol name ( tcp , udp , icmp , icmpv6 ) or number (see Protocol Numbers ). |
| cidr | string | The IPv4 address range, in CIDR format. |
| cidr | string | The IPv6 address range, in CIDR format. |
| description? | string | A description for the security group rule. |
| destination | string | The prefix list IDs for the destination AWS service. |
| destination | string | The ID of the destination VPC security group. |
| from | number | If the protocol is TCP or UDP, this is the start of the port range. |
| to | number | If the protocol is TCP or UDP, this is the end of the port range. |
ipProtocol
Type:
string
The IP protocol name ( tcp , udp , icmp , icmpv6 ) or number (see Protocol Numbers ).
Use -1 to specify all protocols. When authorizing security group rules, specifying -1 or a protocol number other than tcp , udp , icmp , or icmpv6 allows traffic on all ports, regardless of any port range you specify. For tcp , udp , and icmp , you must specify a port range. For icmpv6 , the port range is optional; if you omit the port range, traffic for all types and codes is allowed.
cidrIp?
Type:
string
(optional)
The IPv4 address range, in CIDR format.
You must specify a destination security group ( DestinationPrefixListId or DestinationSecurityGroupId ) or a CIDR range ( CidrIp or CidrIpv6 ).
For examples of rules that you can add to security groups for specific access scenarios, see Security group rules for different use cases in the Amazon EC2 User Guide .
cidrIpv6?
Type:
string
(optional)
The IPv6 address range, in CIDR format.
You must specify a destination security group ( DestinationPrefixListId or DestinationSecurityGroupId ) or a CIDR range ( CidrIp or CidrIpv6 ).
For examples of rules that you can add to security groups for specific access scenarios, see Security group rules for different use cases in the Amazon EC2 User Guide .
description?
Type:
string
(optional)
A description for the security group rule.
Constraints: Up to 255 characters in length. Allowed characters are a-z, A-Z, 0-9, spaces, and ._-:/()#,@[]+=;{}!$*
destinationPrefixListId?
Type:
string
(optional)
The prefix list IDs for the destination AWS service.
This is the AWS service that you want to access through a VPC endpoint from instances associated with the security group.
You must specify a destination security group ( DestinationPrefixListId or DestinationSecurityGroupId ) or a CIDR range ( CidrIp or CidrIpv6 ).
destinationSecurityGroupId?
Type:
string
(optional)
The ID of the destination VPC security group.
You must specify a destination security group ( DestinationPrefixListId or DestinationSecurityGroupId ) or a CIDR range ( CidrIp or CidrIpv6 ).
fromPort?
Type:
number
(optional)
If the protocol is TCP or UDP, this is the start of the port range.
If the protocol is ICMP or ICMPv6, this is the type number. A value of -1 indicates all ICMP/ICMPv6 types. If you specify all ICMP/ICMPv6 types, you must specify all ICMP/ICMPv6 codes.
toPort?
Type:
number
(optional)
If the protocol is TCP or UDP, this is the end of the port range.
If the protocol is ICMP or ICMPv6, this is the code. A value of -1 indicates all ICMP/ICMPv6 codes. If you specify all ICMP/ICMPv6 types, you must specify all ICMP/ICMPv6 codes.