Amazon Elastic Compute Cloud
API Reference (API Version 2013-02-01)
AWS Documentation » Amazon EC2 » API Reference » Actions » CreateNetworkAclEntry
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Did this page help you?  Yes | No |  Tell us about it...

CreateNetworkAclEntry

Description

Creates an entry (a rule) in a network ACL with the specified rule number. Each network ACL has a set of numbered ingress rules and a separate set of numbered egress rules. When determining whether a packet should be allowed in or out of a subnet associated with the ACL, we process the entries in the ACL according to the rule numbers, in ascending order. Each network ACL has a set of ingress rules and a separate set of egress rules.

Tip

We recommend that you leave room between the rule numbers (for example, 100, 110, 120, etc.), and not number them one right after the other (for example, 101, 102, 103, etc.). This makes it easier to add a new rule between existing ones without having to renumber the rules.

After you add an entry, you can't modify it; you must either replace it, or create a new entry and delete the old one.

For more information about network ACLs, see Network ACLs in the Amazon Virtual Private Cloud User Guide.

Request Parameters

NetworkAclId

The ID of the ACL.

Type: String

Default: None

Required: Yes

RuleNumber

The rule number to assign to the entry (for example, 100). ACL entries are processed in ascending order by rule number.

Type: Integer

Default: None

Constraints: Positive integer from 1 to 32766

Required: Yes

Protocol

The IP protocol the rule applies to. You can use -1 to mean all protocols.

Type: Integer

Valid values: -1 or a protocol number (see Protocol Numbers).

Required: Yes

RuleAction

Indicates whether to allow or deny traffic that matches the rule.

Type: String

Default: None

Valid values: allow | deny

Required: Yes

Egress

Indicates whether this rule applies to egress traffic from the subnet (true) or ingress traffic to the subnet (false).

Type: Boolean

Default: false

Valid values: true | false

Required: No

CidrBlock

The CIDR range to allow or deny, in CIDR notation (for example, 172.16.0.0/24).

Type: String

Default: None

Required: Yes

Icmp.Code

For the ICMP protocol, the ICMP code. You can use -1 to specify all ICMP codes for the given ICMP type.

Type: Integer

Default: None

Required: Conditional

Condition: Required if specifying 1 (ICMP) for the protocol.

Icmp.Type

For the ICMP protocol, the ICMP type. You can use -1 to specify all ICMP types.

Type: Integer

Default: None

Required: Conditional

Condition: Required if specifying 1 (ICMP) for the protocol.

PortRange.From

The first port in the range.

Type: Integer

Default: None

Required: Conditional

Condition: Required if specifying 6 (TCP) or 17 (UDP) for the protocol.

PortRange.To

The last port in the range.

Type: Integer

Default: None

Required: Conditional

Condition: Required if specifying 6 (TCP) or 17 (UDP) for the protocol.

Response Elements

The following elements are returned in a CreateNetworkAclEntryResponse element.

requestId

The ID of the request.

Type: xsd:string

return

Returns true if the request succeeds. Otherwise, returns an error.

Type: xsd:boolean

Examples

Example Request

This example creates an entry with rule number 110 in the network ACL with ID acl-2cb85d45. The rule allows ingress traffic from anywhere (0.0.0.0/0) on UDP port 53 into any associated subnet. 

https://ec2.amazonaws.com/?Action=CreateNetworkAclEntry
&NetworkAclId=acl-2cb85d45
&RuleNumber=110
&Protocol=udp
&RuleAction=allow
&Egress=false
&CidrBlock=0.0.0.0/0
&PortRange.From=53
&PortRange.To=53
&AUTHPARAMS

Example Response

<CreateNetworkAclEntryResponse xmlns="http://ec2.amazonaws.com/doc/2013-02-01/">
   <requestId>59dbff89-35bd-4eac-99ed-be587EXAMPLE</requestId> 
   <return>true</return>
</CreateNetworkAclEntryResponse>
Document Conventions« PreviousNext »
Terms of UseDid this page help you?  Yes | No |  Tell us about it...