ReplaceNetworkAclEntry - Amazon Elastic Compute Cloud


Replaces an entry (rule) in a network ACL. For more information, see Network ACLs in the Amazon VPC User Guide.

Request Parameters

The following parameters are for this specific action. For more information about required and optional parameters that are common to all actions, see Common Query Parameters.


The IPv4 network range to allow or deny, in CIDR notation (for example

Type: String

Required: No


Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.

Type: Boolean

Required: No


Indicates whether to replace the egress rule.

Default: If no value is specified, we replace the ingress rule.

Type: Boolean

Required: Yes


ICMP protocol: The ICMP or ICMPv6 type and code. Required if specifying protocol 1 (ICMP) or protocol 58 (ICMPv6) with an IPv6 CIDR block.

Type: IcmpTypeCode object

Required: No


The IPv6 network range to allow or deny, in CIDR notation (for example 2001:bd8:1234:1a00::/64).

Type: String

Required: No


The ID of the ACL.

Type: String

Required: Yes


TCP or UDP protocols: The range of ports the rule applies to. Required if specifying protocol 6 (TCP) or 17 (UDP).

Type: PortRange object

Required: No


The protocol number. A value of "-1" means all protocols. If you specify "-1" or a protocol number other than "6" (TCP), "17" (UDP), or "1" (ICMP), traffic on all ports is allowed, regardless of any ports or ICMP types or codes that you specify. If you specify protocol "58" (ICMPv6) and specify an IPv4 CIDR block, traffic for all ICMP types and codes allowed, regardless of any that you specify. If you specify protocol "58" (ICMPv6) and specify an IPv6 CIDR block, you must specify an ICMP type and code.

Type: String

Required: Yes


Indicates whether to allow or deny the traffic that matches the rule.

Type: String

Valid Values: allow | deny

Required: Yes


The rule number of the entry to replace.

Type: Integer

Required: Yes

Response Elements

The following elements are returned by the service.


The ID of the request.

Type: String


Is true if the request succeeds, and an error otherwise.

Type: Boolean


For information about the errors that are common to all actions, see Common client error codes.



This example replaces the egress entry numbered 110 in the specified network ACL. The new rule denies egress traffic destined for any IPv4 address ( on TCP port 139.

Sample Request &NetworkAclId=acl-2cb85d45 &RuleNumber=110 &Protocol="6" &RuleAction=deny &Egress=true &CidrBlock= &PortRange.From=139 &PortRange.To=139 &AUTHPARAMS

Sample Response

<ReplaceNetworkAclEntryResponse xmlns=""> <requestId>59dbff89-35bd-4eac-99ed-be587EXAMPLE</requestId> <return>true</return> </ReplaceNetworkAclEntryResponse>

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: