Thanks for letting us know we're doing a good job!
If you've got a moment, please tell us what we did right so we can do more of it.
AWS::EC2::NetworkAclEntry
Specifies an entry, known as a rule, in a network ACL with a rule number you specify. Each network ACL has a set of numbered ingress rules and a separate set of numbered egress rules.
For information about the protocol value, see Protocol Numbers
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::EC2::NetworkAclEntry", "Properties" : { "CidrBlock" :String, "Egress" :Boolean, "Icmp" :Icmp, "Ipv6CidrBlock" :String, "NetworkAclId" :String, "PortRange" :PortRange, "Protocol" :Integer, "RuleAction" :String, "RuleNumber" :Integer} }
YAML
Type: AWS::EC2::NetworkAclEntry Properties: CidrBlock:StringEgress:BooleanIcmp:IcmpIpv6CidrBlock:StringNetworkAclId:StringPortRange:PortRangeProtocol:IntegerRuleAction:StringRuleNumber:Integer
Properties
CidrBlock-
The IPv4 CIDR range to allow or deny, in CIDR notation (for example, 172.16.0.0/24). Requirement is conditional: You must specify the
CidrBlockorIpv6CidrBlockproperty.Required: No
Type: String
Update requires: No interruption
Egress-
Whether this rule applies to egress traffic from the subnet (
true) or ingress traffic to the subnet (false). By default, AWS CloudFormation specifiesfalse.Required: No
Type: Boolean
Update requires: Replacement
Icmp-
The Internet Control Message Protocol (ICMP) code and type. Requirement is conditional: Required if specifying 1 (ICMP) for the protocol parameter.
Required: No
Type: Icmp
Update requires: No interruption
Ipv6CidrBlock-
The IPv6 network range to allow or deny, in CIDR notation. Requirement is conditional: You must specify the
CidrBlockorIpv6CidrBlockproperty.Required: No
Type: String
Update requires: No interruption
NetworkAclId-
The ID of the ACL for the entry.
Required: Yes
Type: String
Update requires: Replacement
PortRange-
The range of port numbers for the UDP/TCP protocol. Conditional required if specifying 6 (TCP) or 17 (UDP) for the protocol parameter.
Required: No
Type: PortRange
Update requires: No interruption
Protocol-
The IP protocol that the rule applies to. You must specify -1 or a protocol number. You can specify -1 for all protocols.
Note If you specify -1, all ports are opened and the
PortRangeproperty is ignored.Required: Yes
Type: Integer
Update requires: No interruption
RuleAction-
Whether to allow or deny traffic that matches the rule; valid values are "allow" or "deny".
Required: Yes
Type: String
Allowed Values:
allow | denyUpdate requires: No interruption
RuleNumber-
Rule number to assign to the entry, such as 100. ACL entries are processed in ascending order by rule number. Entries can't use the same rule number unless one is an egress rule and the other is an ingress rule.
Required: Yes
Type: Integer
Update requires: Replacement
Return Values
Ref
When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the resource name.
For more information about using the Ref function, see Ref.
Examples
Network ACL Entry
The following example creates an entry in a network ACL with a specified rule number.
JSON
"myNetworkAclEntry" : { "Type" : "AWS::EC2::NetworkAclEntry", "Properties" : { "NetworkAclId" : { "Ref" : "myNetworkAcl" }, "RuleNumber" : "100", "Protocol" : "-1", "RuleAction" : "allow", "Egress" : "true", "CidrBlock" : "172.16.0.0/24", "Icmp" : { "Code" : "-1", "Type" : "-1" }, "PortRange" : { "From" : "53", "To" : "53" } } }
YAML
myNetworkAclEntry: Type: AWS::EC2::NetworkAclEntry Properties: NetworkAclId: Ref: myNetworkAcl RuleNumber: '100' Protocol: "-1" RuleAction: allow Egress: 'true' CidrBlock: 172.16.0.0/24 Icmp: Code: "-1" Type: "-1" PortRange: From: '53' To: '53'
See Also
-
NetworkAclEntry in the Amazon EC2 API Reference
-
Network ACLs in the Amazon Virtual Private Cloud User Guide
