AWS::NetworkFirewall::RuleGroup Header
The 5-tuple criteria for Amazon Network Firewall to use to inspect packet headers in stateful traffic flow inspection. Traffic flows that match the criteria are a match for the corresponding stateful rule.
Syntax
To declare this entity in your Amazon CloudFormation template, use the following syntax:
JSON
{ "Destination" :String, "DestinationPort" :String, "Direction" :String, "Protocol" :String, "Source" :String, "SourcePort" :String}
YAML
Destination:StringDestinationPort:StringDirection:StringProtocol:StringSource:StringSourcePort:String
Properties
Destination-
The destination IP address or address range to inspect for, in CIDR notation. To match with any address, specify
ANY.Specify an IP address or a block of IP addresses in Classless Inter-Domain Routing (CIDR) notation. Network Firewall supports all address ranges for IPv4 and IPv6.
Examples:
-
To configure Network Firewall to inspect for the IP address 192.0.2.44, specify
192.0.2.44/32. -
To configure Network Firewall to inspect for IP addresses from 192.0.2.0 to 192.0.2.255, specify
192.0.2.0/24. -
To configure Network Firewall to inspect for the IP address 1111:0000:0000:0000:0000:0000:0000:0111, specify
1111:0000:0000:0000:0000:0000:0000:0111/128. -
To configure Network Firewall to inspect for IP addresses from 1111:0000:0000:0000:0000:0000:0000:0000 to 1111:0000:0000:0000:ffff:ffff:ffff:ffff, specify
1111:0000:0000:0000:0000:0000:0000:0000/64.
For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing
. Required: Yes
Type: String
Pattern:
^.*$Minimum:
1Maximum:
1024Update requires: No interruption
-
DestinationPort-
The destination port to inspect for. You can specify an individual port, for example
1994and you can specify a port range, for example1990:1994. To match with any port, specifyANY.Required: Yes
Type: String
Pattern:
^.*$Minimum:
1Maximum:
1024Update requires: No interruption
Direction-
The direction of traffic flow to inspect. If set to
ANY, the inspection matches bidirectional traffic, both from the source to the destination and from the destination to the source. If set toFORWARD, the inspection only matches traffic going from the source to the destination.Required: Yes
Type: String
Allowed values:
FORWARD | ANYUpdate requires: No interruption
Protocol-
The protocol to inspect for. To specify all, you can use
IP, because all traffic on Amazon and on the internet is IP.Required: Yes
Type: String
Allowed values:
IP | TCP | UDP | ICMP | HTTP | FTP | TLS | SMB | DNS | DCERPC | SSH | SMTP | IMAP | MSN | KRB5 | IKEV2 | TFTP | NTP | DHCPUpdate requires: No interruption
Source-
The source IP address or address range to inspect for, in CIDR notation. To match with any address, specify
ANY.Specify an IP address or a block of IP addresses in Classless Inter-Domain Routing (CIDR) notation. Network Firewall supports all address ranges for IPv4 and IPv6.
Examples:
-
To configure Network Firewall to inspect for the IP address 192.0.2.44, specify
192.0.2.44/32. -
To configure Network Firewall to inspect for IP addresses from 192.0.2.0 to 192.0.2.255, specify
192.0.2.0/24. -
To configure Network Firewall to inspect for the IP address 1111:0000:0000:0000:0000:0000:0000:0111, specify
1111:0000:0000:0000:0000:0000:0000:0111/128. -
To configure Network Firewall to inspect for IP addresses from 1111:0000:0000:0000:0000:0000:0000:0000 to 1111:0000:0000:0000:ffff:ffff:ffff:ffff, specify
1111:0000:0000:0000:0000:0000:0000:0000/64.
For more information about CIDR notation, see the Wikipedia entry Classless Inter-Domain Routing
. Required: Yes
Type: String
Pattern:
^.*$Minimum:
1Maximum:
1024Update requires: No interruption
-
SourcePort-
The source port to inspect for. You can specify an individual port, for example
1994and you can specify a port range, for example1990:1994. To match with any port, specifyANY.Required: Yes
Type: String
Pattern:
^.*$Minimum:
1Maximum:
1024Update requires: No interruption