Amazon Elastic Compute Cloud
API Reference (API Version 2016-11-15)


Creates a network ACL in a VPC. Network ACLs provide an optional layer of security (in addition to security groups) for the instances in your VPC.

For more information about network ACLs, see Network ACLs in the Amazon Virtual Private Cloud User Guide.

Request Parameters

The following parameters are for this specific action. For more information about required and optional parameters that are common to all actions, see Common Query Parameters.


Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.

Type: Boolean

Required: No


The ID of the VPC.

Type: String

Required: Yes

Response Elements

The following elements are returned by the service.


Information about the network ACL.

Type: NetworkAcl object


The ID of the request.

Type: String


For information about the errors that are common to all actions, see Common Errors.



This example creates a network ACL in the specified IPv6-enabled VPC. The response includes default IPv4 and IPv6 entries for egress and ingress traffic, each with a very high rule number. These are the last entries we process to decide whether traffic is allowed in or out of an associated subnet. If the traffic doesn't match any rules with a lower rule number, then these default entries ultimately deny the traffic.

Sample Request

Copy &VpcId=vpc-11ad4878 &AUTHPARAMS

Sample Response

<CreateNetworkAclResponse xmlns=""> <requestId>59dbff89-35bd-4eac-99ed-be587EXAMPLE</requestId> <networkAcl> <networkAclId>acl-5fb85d36</networkAclId> <vpcId>vpc-11ad4878</vpcId> <default>false</default> <entrySet> <item> <ruleNumber>32767</ruleNumber> <protocol>all</protocol> <ruleAction>deny</ruleAction> <egress>true</egress> <cidrBlock></cidrBlock> </item> <item> <ruleNumber>32767</ruleNumber> <protocol>all</protocol> <ruleAction>deny</ruleAction> <egress>false</egress> <cidrBlock></cidrBlock> </item> <item> <ruleNumber>32768</ruleNumber> <protocol>all</protocol> <ruleAction>deny</ruleAction> <egress>true</egress> <ipv6CidrBlock>::/0</ipv6CidrBlock> </item> <item> <ruleNumber>32768</ruleNumber> <protocol>all</protocol> <ruleAction>deny</ruleAction> <egress>false</egress> <ipv6CidrBlock>::/0</ipv6CidrBlock> </entrySet> <associationSet/> <tagSet/> </networkAcl> </CreateNetworkAclResponse>

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: