How to specify both IPv6 and v4 in Security Groups in CloudFormation?

Question

I tried to create a security group like:

  WebTierSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      SecurityGroupIngress:
        - Description: Allow HTTP
          IpProtocol: tcp
          FromPort: 80
          CidrIp: 0.0.0.0/0
          CidrIpv6: ::/0

But CloudFormation complains I cannot have both CidrIp and CidrIpv6. How do I resolve this? I thought I can have both via AWS console?

Both CidrIp and CidrIpv6 cannot be specified

Answer 1

The SecurityGroupIngress (and also SecurityGroupEgress) property of resource is of type list/array. Your must supply a list of Resources, or list of rules to be applied to security group. Each rule must have a CidrIp OR a CidrIpv6, not both the same time. When you need to allow the two protocols you must apply two different rules: Change you template like below:

  WebTierSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      SecurityGroupIngress:
        - Description: Allow HTTP
          IpProtocol: tcp
          FromPort: 80
          CidrIp: 0.0.0.0/0
        - Description: Allow HTTP
          IpProtocol: tcp
          FromPort: 80
          CidrIpv6: ::/0