Menu
AWS CloudFormation
User Guide (API Version 2010-05-15)

AWS::EC2::NetworkAclEntry

Creates an entry (i.e., a rule) in a network ACL with a rule number you specify. Each network ACL has a set of numbered ingress rules and a separate set of numbered egress rules.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{
   "Type" : "AWS::EC2::NetworkAclEntry",
   "Properties" : {
      "CidrBlock" : String,
      "Egress" : Boolean,
      "Icmp" : EC2 ICMP,
      "Ipv6CidrBlock" : String, 
      "NetworkAclId" : String,
      "PortRange" : EC2 PortRange,
      "Protocol" : Integer,
      "RuleAction" : String,
      "RuleNumber" : Integer
   }
}     

YAML

Type: "AWS::EC2::NetworkAclEntry"
Properties: 
  CidrBlock: String
  Egress: Boolean
  Icmp:
    EC2 ICMP
  Ipv6CidrBlock: String 
  NetworkAclId: String
  PortRange:
    EC2 PortRange
  Protocol: Integer
  RuleAction : String
  RuleNumber : Integer

Properties

CidrBlock

The IPv4 CIDR range to allow or deny, in CIDR notation (e.g., 172.16.0.0/24).

Required: Conditional. You must specify the CidrBlock or Ipv6CidrBlock property.

Type: String

Update requires: No interruption

Egress

Whether this rule applies to egress traffic from the subnet (true) or ingress traffic to the subnet (false). By default, AWS CloudFormation specifies false.

Required: No

Type: Boolean

Update requires: Replacement.

Icmp

The Internet Control Message Protocol (ICMP) code and type.

Required: Conditional required if specifying 1 (ICMP) for the protocol parameter.

Type: EC2 NetworkAclEntry Icmp

Update requires: No interruption

Ipv6CidrBlock

The IPv6 CIDR range to allow or deny, in CIDR notation.

Required: Conditional. You must specify the CidrBlock or Ipv6CidrBlock property.

Type: String

Update requires: No interruption

NetworkAclId

ID of the ACL where the entry will be created.

Required: Yes

Type: String

Update requires: Replacement.

PortRange

The range of port numbers for the UDP/TCP protocol.

Required: Conditional Required if specifying 6 (TCP) or 17 (UDP) for the protocol parameter.

Type: EC2 NetworkAclEntry PortRange

Update requires: No interruption

Protocol

The IP protocol that the rule applies to. You must specify -1 or a protocol number (go to Protocol Numbers at iana.org). You can specify -1 for all protocols.

Note

If you specify -1, all ports are opened and the PortRange property is ignored.

Required: Yes

Type: Number

Update requires: No interruption

RuleAction

Whether to allow or deny traffic that matches the rule; valid values are "allow" or "deny".

Required: Yes

Type: String

Update requires: No interruption

RuleNumber

Rule number to assign to the entry, such as 100. ACL entries are processed in ascending order by rule number. Entries can't use the same rule number unless one is an egress rule and the other is an ingress rule. For valid values, see the CreateNetworkAclEntry action in the Amazon EC2 API Reference.

Required: Yes

Type: Number

Update requires: Replacement.

Return Values

Ref

When the logical ID of this resource is provided to the Ref intrinsic function, Ref returns the resource name.

For more information about using the Ref function, see Ref.

Example

JSON

{
   "AWSTemplateFormatVersion" : "2010-09-09",
   "Resources" : {
      "myNetworkAclEntry" : {
         "Type" : "AWS::EC2::NetworkAclEntry",
         "Properties" : {
            "NetworkAclId" : { "Ref" : "myNetworkAcl" },
            "RuleNumber" : "100",
            "Protocol" : "-1",
            "RuleAction" : "allow",
            "Egress" : "true",
            "CidrBlock" : "172.16.0.0/24",
            "Icmp" : { "Code" : "-1", "Type" : "-1" },
            "PortRange" : { "From" : "53", "To" : "53" }
         }
      }
   }
}

YAML

AWSTemplateFormatVersion: '2010-09-09'
Resources:
  myNetworkAclEntry:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
      NetworkAclId:
        Ref: myNetworkAcl
      RuleNumber: '100'
      Protocol: "-1"
      RuleAction: allow
      Egress: 'true'
      CidrBlock: 172.16.0.0/24
      Icmp:
        Code: "-1"
        Type: "-1"
      PortRange:
        From: '53'
        To: '53'

See Also