| « PreviousNext » | |
  | Did this page help you? Yes | No | Tell us about it... |
ec2-create-network-acl-entry
Description
Creates an entry (a rule) in a network ACL with the specified rule number. Each network ACL has a set of numbered ingress rules and a separate set of numbered egress rules. When determining whether a packet should be allowed in or out of a subnet, we process the entries in the ACL according to the rule numbers, in ascending order. Each network ACL has a set of ingress rules and a separate set of egress rules.
Tip
We recommend that you leave room between the rule numbers (for example, 100, 110, 120, etc.), and not number them one right after the other (for example, 101, 102, 103, etc.). This makes it easier to add a new rule between existing ones without having to renumber the rules.
After you add an entry, you can't modify it; you must either replace it or create a new entry and delete the old one.
For more information about network ACLs, see Network ACLs in the Amazon Virtual Private Cloud User Guide.
The short version of this command is ec2addnae.
Syntax
ec2-create-network-acl-entry
acl_id -n rule_number
[--egress] -P protocol -r
cidr [-p port_range]
[-t icmp_type_code] { --allow | --deny }
Options
| Name | Description |
|---|---|
|
|
The ID of the ACL for the entry. Type: String Default: None Required: Yes Example: acl-5fb85d36 |
|
|
The rule number to assign to the entry (for example, 100). ACL entries are processed in ascending order by rule number. Type: Number Default: None Constraints: Positive integer from 1 to 32766 Required: Yes Example: -n 100 |
|
|
Indicates that the rule be applied to traffic leaving the subnet. Default: If not specified, the rule applies to ingress traffic into the subnet. Required: No |
|
|
The IP protocol. You can specify Type: String Valid values: Required: Yes Example: -P 6 |
|
|
The CIDR range to allow or deny, in CIDR notation. Type: String Default: None Required: Yes Example: -r 172.16.0.0/24 |
|
|
For TCP or UDP: The range of ports to allow. Type: String Default: None Valid values: A single integer or a range (min-max). You can specify -1 to mean all ports (i.e. port range 0-65535). Required: Conditional Condition: Required if specifying Example: -p 80-84 |
|
|
For ICMP: The ICMP type and code using format
Type: String Default: None Required: Conditional Condition: Required if specifying Example: -t -1:-1 |
|
|
Specifies that any traffic matching the rule is allowed. Required: Conditional Condition: You must specify either --allow or --deny, but not both options. |
|
|
Specifies that any traffic matching the rule is denied. Required: Conditional Condition: You must specify either --allow or --deny, but not both. |
Common Options
| Option | Description |
|---|---|
|
|
Overrides the region specified by the Default: The value of the Example: |
|
|
The uniform resource locator (URL) of the Amazon EC2 web service entry point. Default: The value of the Example: |
|
|
The private key that identifies you to Amazon EC2. For more information, see Tell the Tools Who You Are. Default: The value of the Example: |
|
|
The X.509 certificate that identifies you to Amazon EC2. Default: The value of the Example: |
|
|
The access key ID associated with your AWS account. For more information, see Tell the Tools Who You Are. Default: The value of the Example: Note For more information, see the following section, Deprecated Options. |
|
|
The secret access key associated with your AWS account. Default: The value of the Example: Note For more information, see the following section, Deprecated Options. |
|
|
The AWS delegation token. Default: The value of the environment variable (if set). |
|
|
The connection timeout, in seconds. Example: |
|
|
The request timeout, in seconds. Example: |
|
|
Displays verbose output, including the API request and response on the command line. This is useful if you are building tools to talk directly to our Query API. |
|
|
Includes column headers in the command output. |
|
|
Shows empty columns as |
|
|
Omits tags for tagged resources. |
|
|
Displays internal debugging information. This can assist us when helping you troubleshooting problems. |
|
|
Displays usage information for the command. |
|
|
Reads arguments from standard input. This is useful when piping the output from one command to the input of another. Example: |
Deprecated Options
For a limited time, you can still use the private key and X.509 certificate instead of your access key ID and secret access key. However, we recommend that you start using your access key ID (-O, --aws-access-key) and secret access key (-W, --aws-secret-key) now, as the private key (-K, --private-key) and X.509 certificate (-C, --cert) won't be supported after the transition period elapses. For more information, see Tell the Tools Who You Are.
| Option | Description |
|---|---|
|
|
The private key to use when constructing requests to Amazon EC2. Default: The value of the Example: |
|
|
The X.509 certificate to use when constructing requests to Amazon EC2. Default: The value of the Example: |
Output
This command returns a table that contains the following information:
The ENTRY identifier
Amazon EC2 command line tools display errors on stderr.
Examples
Example Request
This example creates an entry with rule number 100 in the network ACL with ID acl-2cb85d45. The rule allows ingress traffic from anywhere (0.0.0.0/0) on UDP port 53 into the subnet.
PROMPT> ec2-create-network-acl-entry acl-2cb85d45 -n 100 -r 0.0.0.0/0 -P udp -p 53 --allow
ENTRY ingress 100 allow 0.0.0.0/0 udp 53 53
