Use the AWS::NetworkFirewall::RuleGroup to define a reusable collection of stateless or stateful network traffic filtering rules. You use rule groups in an AWS::NetworkFirewall::FirewallPolicy to specify the filtering behavior of an AWS::NetworkFirewall::Firewall.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{
"Type" : "AWS::NetworkFirewall::RuleGroup",
"Properties" : {
"Capacity" : Integer
,
"Description" : String
,
"RuleGroup" : RuleGroup
,
"RuleGroupName" : String
,
"Tags" : [ Tag, ... ]
,
"Type" : String
}
}
YAML
Type: AWS::NetworkFirewall::RuleGroup
Properties:
Capacity: Integer
Description: String
RuleGroup:
RuleGroup
RuleGroupName: String
Tags:
- Tag
Type: String
Properties
Capacity
-
The maximum operating resources that this rule group can use. You can't change a rule group's capacity setting after you create the rule group. When you update a rule group, you are limited to this capacity. When you reference a rule group from a firewall policy, Network Firewall reserves this capacity for the rule group.
Required: Yes
Type: Integer
Update requires: Replacement
Description
-
A description of the rule group.
Required: No
Type: String
Pattern:
^.*$
Minimum:
1
Maximum:
512
Update requires: No interruption
RuleGroup
-
An object that defines the rule group rules.
Required: No
Type: RuleGroup
Update requires: No interruption
RuleGroupName
-
The descriptive name of the rule group. You can't change the name of a rule group after you create it.
Required: Yes
Type: String
Pattern:
^[a-zA-Z0-9-]+$
Minimum:
1
Maximum:
128
Update requires: Replacement
-
An array of key-value pairs to apply to this resource.
For more information, see Tag.
Required: No
Type: Array of Tag
Minimum:
1
Maximum:
200
Update requires: No interruption
Type
-
Indicates whether the rule group is stateless or stateful. If the rule group is stateless, it contains stateless rules. If it is stateful, it contains stateful rules.
Required: Yes
Type: String
Allowed values:
STATELESS | STATEFUL
Update requires: Replacement
Return values
Ref
When you pass the logical ID of this resource to the intrinsic Ref
function, Ref
returns the Amazon Resource Name (ARN) of the rule group. For example:
{ "Ref": "arn:aws:network-firewall:us-east-1:012345678901:stateful-rulegroup/myStatefulRuleGroupName" }
For more information about using the Ref
function, see Ref
.
Fn::GetAtt
The Fn::GetAtt
intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.
For more information about using the Fn::GetAtt
intrinsic function, see Fn::GetAtt
.
RuleGroupArn
-
The Amazon Resource Name (ARN) of the AWS::NetworkFirewall::RuleGroup.
RuleGroupId
-
The unique ID of the AWS::NetworkFirewall::RuleGroup resource.
Examples
Create a stateful rule group
The following shows example stateful rule group specifications.
JSON
"SampleStatefulRulegroup": {
"Type": "AWS::NetworkFirewall::RuleGroup",
"Properties": {
"RuleGroupName": "SampleStatefulRulegroupName",
"Type": "STATEFUL",
"RuleGroup": {
"RulesSource": {
"RulesString": "pass tcp 10.20.20.0/24 45400:45500 <> 10.10.10.0/24 5203 (msg:\"test\";sid:1;rev:1;)"
}
},
"Capacity": 100,
"Description": "Rulegroup description goes here",
"Tags": [
{
"Key": "Foo",
"Value": "Bar"
}
]
}
}
YAML
SampleStatefulRulegroup:
Type: 'AWS::NetworkFirewall::RuleGroup'
Properties:
RuleGroupName: SampleStatefulRulegroupName
Type: STATEFUL
RuleGroup:
RulesSource:
RulesString: >-
pass tcp 10.20.20.0/24 45400:45500 <> 10.10.10.0/24 5203
(msg:"test";sid:1;rev:1;)
Capacity: 100
Description: Rulegroup description goes here
Tags:
- Key: Foo
Value: Bar
Create a stateless rule group
The following shows example stateless rule group specifications.
JSON
"SampleStatelessRulegroup": {
"Type": "AWS::NetworkFirewall::RuleGroup",
"Properties": {
"RuleGroupName": "SampleStatelessRulegroupName",
"Type": "STATELESS",
"RuleGroup": {
"RulesSource": {
"StatelessRulesAndCustomActions": {
"StatelessRules": [
{
"RuleDefinition": {
"MatchAttributes": {
"Sources": [
{
"AddressDefinition": "0.0.0.0/0"
}
],
"Destinations": [
{
"AddressDefinition": "10.0.0.0/8"
}
],
"SourcePorts": [
{
"FromPort": 15000
},
{
"ToPort": 30000
}
],
"DestinationPorts": [
{
"FromPort": 443
},
{
"ToPort": 443
}
],
"Protocols": [
6
]
},
"Actions": [
"aws:pass"
]
},
"Priority": 1
}
]
}
}
},
"Capacity": 100,
"Description": "Rulegroup description goes here",
"Tags": [
{
"Key": "Foo",
"Value": "Bar"
}
]
}
}
YAML
SampleStatelessRulegroup:
Type: 'AWS::NetworkFirewall::RuleGroup'
Properties:
RuleGroupName: SampleStatelessRulegroupName
Type: STATELESS
RuleGroup:
RulesSource:
StatelessRulesAndCustomActions:
StatelessRules:
- RuleDefinition:
MatchAttributes:
Sources:
- AddressDefinition: 0.0.0.0/0
Destinations:
- AddressDefinition: 10.0.0.0/8
SourcePorts:
- FromPort: 15000
ToPort: 30000
DestinationPorts:
- FromPort: 443
ToPort: 443
Protocols:
- 6
Actions:
- 'aws:pass'
Priority: 1
Capacity: 100
Description: Rulegroup description goes here
Tags:
- Key: Foo
Value: Bar