AWS CloudFormation
User Guide (Version )

AWS::EC2::NetworkAclEntry

Specifies an entry, known as a rule, in a network ACL with a rule number you specify. Each network ACL has a set of numbered ingress rules and a separate set of numbered egress rules.

For information about the protocol value, see Protocol Numbers on the Internet Assigned Numbers Authority (IANA) website.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{ "Type" : "AWS::EC2::NetworkAclEntry", "Properties" : { "CidrBlock" : String, "Egress" : Boolean, "Icmp" : Icmp, "Ipv6CidrBlock" : String, "NetworkAclId" : String, "PortRange" : PortRange, "Protocol" : Integer, "RuleAction" : String, "RuleNumber" : Integer } }

YAML

Type: AWS::EC2::NetworkAclEntry Properties: CidrBlock: String Egress: Boolean Icmp: Icmp Ipv6CidrBlock: String NetworkAclId: String PortRange: PortRange Protocol: Integer RuleAction: String RuleNumber: Integer

Properties

CidrBlock

The IPv4 CIDR range to allow or deny, in CIDR notation (for example, 172.16.0.0/24). Requirement is conditional: You must specify the CidrBlock or Ipv6CidrBlock property.

Required: No

Type: String

Update requires: No interruption

Egress

Whether this rule applies to egress traffic from the subnet (true) or ingress traffic to the subnet (false). By default, AWS CloudFormation specifies false.

Required: No

Type: Boolean

Update requires: Replacement

Icmp

The Internet Control Message Protocol (ICMP) code and type. Requirement is conditional: Required if specifying 1 (ICMP) for the protocol parameter.

Required: No

Type: Icmp

Update requires: No interruption

Ipv6CidrBlock

The IPv6 network range to allow or deny, in CIDR notation. Requirement is conditional: You must specify the CidrBlock or Ipv6CidrBlock property.

Required: No

Type: String

Update requires: No interruption

NetworkAclId

The ID of the ACL for the entry.

Required: Yes

Type: String

Update requires: Replacement

PortRange

The range of port numbers for the UDP/TCP protocol. Conditional required if specifying 6 (TCP) or 17 (UDP) for the protocol parameter.

Required: No

Type: PortRange

Update requires: No interruption

Protocol

The IP protocol that the rule applies to. You must specify -1 or a protocol number. You can specify -1 for all protocols.

Note

If you specify -1, all ports are opened and the PortRange property is ignored.

Required: Yes

Type: Integer

Update requires: No interruption

RuleAction

Whether to allow or deny traffic that matches the rule; valid values are "allow" or "deny".

Required: Yes

Type: String

Allowed Values: allow | deny

Update requires: No interruption

RuleNumber

Rule number to assign to the entry, such as 100. ACL entries are processed in ascending order by rule number. Entries can't use the same rule number unless one is an egress rule and the other is an ingress rule.

Required: Yes

Type: Integer

Update requires: Replacement

Return Values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the resource name.

For more information about using the Ref function, see Ref.

Examples

Network ACL Entry

The following example creates an entry in a network ACL with a specified rule number.

JSON

"myNetworkAclEntry" : { "Type" : "AWS::EC2::NetworkAclEntry", "Properties" : { "NetworkAclId" : { "Ref" : "myNetworkAcl" }, "RuleNumber" : "100", "Protocol" : "-1", "RuleAction" : "allow", "Egress" : "true", "CidrBlock" : "172.16.0.0/24", "Icmp" : { "Code" : "-1", "Type" : "-1" }, "PortRange" : { "From" : "53", "To" : "53" } } }

YAML

myNetworkAclEntry: Type: AWS::EC2::NetworkAclEntry Properties: NetworkAclId: Ref: myNetworkAcl RuleNumber: '100' Protocol: "-1" RuleAction: allow Egress: 'true' CidrBlock: 172.16.0.0/24 Icmp: Code: "-1" Type: "-1" PortRange: From: '53' To: '53'

See Also