AWS::EC2::NetworkAclEntry
Creates an entry (i.e., a rule) in a network ACL with a rule number you specify. Each network ACL has a set of numbered ingress rules and a separate set of numbered egress rules.
Syntax
To declare this entity in your AWS CloudFormation template, use the following syntax:
JSON
{ "Type" : "AWS::EC2::NetworkAclEntry", "Properties" : { "CidrBlock" :String, "Egress" :Boolean, "Icmp" :EC2 ICMP, "Ipv6CidrBlock" :String, "NetworkAclId" :String, "PortRange" :EC2 PortRange, "Protocol" :Integer, "RuleAction" :String, "RuleNumber" :Integer} }
YAML
Type: AWS::EC2::NetworkAclEntry Properties: CidrBlock:StringEgress:BooleanIcmp:EC2 ICMPIpv6CidrBlock:StringNetworkAclId:StringPortRange:EC2 PortRangeProtocol:IntegerRuleAction :StringRuleNumber :Integer
Properties
CidrBlock-
The IPv4 CIDR range to allow or deny, in CIDR notation (e.g., 172.16.0.0/24).
Required: Conditional. You must specify the
CidrBlockorIpv6CidrBlockproperty.Type: String
Update requires: No interruption
Egress-
Whether this rule applies to egress traffic from the subnet (
true) or ingress traffic to the subnet (false). By default, AWS CloudFormation specifiesfalse.Required: No
Type: Boolean
Update requires: Replacement.
Icmp-
The Internet Control Message Protocol (ICMP) code and type.
Required: Conditional required if specifying 1 (ICMP) for the protocol parameter.
Type: EC2 NetworkAclEntry Icmp
Update requires: No interruption
Ipv6CidrBlock-
The IPv6 CIDR range to allow or deny, in CIDR notation.
Required: Conditional. You must specify the
CidrBlockorIpv6CidrBlockproperty.Type: String
Update requires: No interruption
NetworkAclId-
ID of the ACL where the entry will be created.
Required: Yes
Type: String
Update requires: Replacement.
PortRange-
The range of port numbers for the UDP/TCP protocol.
Required: Conditional Required if specifying 6 (TCP) or 17 (UDP) for the protocol parameter.
Type: EC2 NetworkAclEntry PortRange
Update requires: No interruption
Protocol-
The IP protocol that the rule applies to. You must specify
-1or a protocol number (go to Protocol Numbers at iana.org). You can specify-1for all protocols.Note
If you specify
-1, all ports are opened and thePortRangeproperty is ignored.Required: Yes
Type: Number
Update requires: No interruption
RuleAction-
Whether to allow or deny traffic that matches the rule; valid values are "allow" or "deny".
Required: Yes
Type: String
Update requires: No interruption
RuleNumber-
Rule number to assign to the entry, such as
100. ACL entries are processed in ascending order by rule number. Entries can't use the same rule number unless one is an egress rule and the other is an ingress rule. For valid values, see the CreateNetworkAclEntry action in the Amazon EC2 API Reference.Required: Yes
Type: Number
Update requires: Replacement.
Return Values
Ref
When the logical ID of this resource is provided to the Ref intrinsic
function, Ref returns the resource name.
For more information about using the Ref function, see Ref.
Example
JSON
{ "AWSTemplateFormatVersion" : "2010-09-09", "Resources" : { "myNetworkAclEntry" : { "Type" : "AWS::EC2::NetworkAclEntry", "Properties" : { "NetworkAclId" : { "Ref" : "myNetworkAcl" }, "RuleNumber" : "100", "Protocol" : "-1", "RuleAction" : "allow", "Egress" : "true", "CidrBlock" : "172.16.0.0/24", "Icmp" : { "Code" : "-1", "Type" : "-1" }, "PortRange" : { "From" : "53", "To" : "53" } } } } }
YAML
AWSTemplateFormatVersion: '2010-09-09' Resources: myNetworkAclEntry: Type: AWS::EC2::NetworkAclEntry Properties: NetworkAclId: Ref: myNetworkAcl RuleNumber: '100' Protocol: "-1" RuleAction: allow Egress: 'true' CidrBlock: 172.16.0.0/24 Icmp: Code: "-1" Type: "-1" PortRange: From: '53' To: '53'
See Also
-
NetworkAclEntry in the Amazon EC2 API Reference
-
Network ACLs in the Amazon Virtual Private Cloud User Guide.
