AWS::EC2::NetworkAclEntry - Amazon CloudFormation
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

AWS::EC2::NetworkAclEntry

Specifies an entry, known as a rule, in a network ACL with a rule number you specify. Each network ACL has a set of numbered ingress rules and a separate set of numbered egress rules.

For information about the protocol value, see Protocol Numbers on the Internet Assigned Numbers Authority (IANA) website.

Syntax

To declare this entity in your Amazon CloudFormation template, use the following syntax:

JSON

{ "Type" : "AWS::EC2::NetworkAclEntry", "Properties" : { "CidrBlock" : String, "Egress" : Boolean, "Icmp" : Icmp, "Ipv6CidrBlock" : String, "NetworkAclId" : String, "PortRange" : PortRange, "Protocol" : Integer, "RuleAction" : String, "RuleNumber" : Integer } }

YAML

Type: AWS::EC2::NetworkAclEntry Properties: CidrBlock: String Egress: Boolean Icmp: Icmp Ipv6CidrBlock: String NetworkAclId: String PortRange: PortRange Protocol: Integer RuleAction: String RuleNumber: Integer

Properties

CidrBlock

The IPv4 CIDR range to allow or deny, in CIDR notation (for example, 172.16.0.0/24). You must specify an IPv4 CIDR block or an IPv6 CIDR block.

Required: Conditional

Type: String

Update requires: No interruption

Egress

Whether this rule applies to egress traffic from the subnet (true) or ingress traffic to the subnet (false). By default, Amazon CloudFormation specifies false.

Required: No

Type: Boolean

Update requires: Replacement

Icmp

The Internet Control Message Protocol (ICMP) code and type. Required if specifying 1 (ICMP) for the protocol parameter.

Required: Conditional

Type: Icmp

Update requires: No interruption

Ipv6CidrBlock

The IPv6 network range to allow or deny, in CIDR notation. You must specify an IPv4 CIDR block or an IPv6 CIDR block.

Required: Conditional

Type: String

Update requires: No interruption

NetworkAclId

The ID of the ACL for the entry.

Required: Yes

Type: String

Update requires: Replacement

PortRange

The range of port numbers for the UDP/TCP protocol. Required if specifying 6 (TCP) or 17 (UDP) for the protocol parameter.

Required: Conditional

Type: PortRange

Update requires: No interruption

Protocol

The IP protocol that the rule applies to. You must specify -1 or a protocol number. You can specify -1 for all protocols.

Note

If you specify -1, all ports are opened and the PortRange property is ignored.

Required: Yes

Type: Integer

Update requires: No interruption

RuleAction

Whether to allow or deny traffic that matches the rule; valid values are "allow" or "deny".

Required: Yes

Type: String

Allowed values: allow | deny

Update requires: No interruption

RuleNumber

Rule number to assign to the entry, such as 100. ACL entries are processed in ascending order by rule number. Entries can't use the same rule number unless one is an egress rule and the other is an ingress rule.

Required: Yes

Type: Integer

Update requires: Replacement

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the ID of the network ACL entry.

For more information about using the Ref function, see Ref.

Fn::GetAtt

The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.

Id

The ID of the network ACL entry.

Examples

Network ACL entries for inbound and outbound traffic

The following example creates a network ACL, and creates two entries in the NACL. The first entry allows inbound SSH traffic from the specified network. The second entry allows all outbound IPv4 traffic.

JSON

{ "Resources": { "MyNACL": { "Type": "AWS::EC2::NetworkAcl", "Properties": { "VpcId": "vpc-1122334455aabbccd", "Tags": [ { "Key": "Name", "Value": "NACLforSSHTraffic" } ] } }, "InboundRule": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": { "Ref": "MyNACL" }, "RuleNumber": 100, "Protocol": 6, "RuleAction": "allow", "CidrBlock": "172.16.0.0/24", "PortRange": { "From": 22, "To": 22 } } }, "OutboundRule": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": { "Ref": "MyNACL" }, "RuleNumber": 100, "Protocol": -1, "Egress": true, "RuleAction": "allow", "CidrBlock": "0.0.0.0/0" } } } }

YAML

Resources: MyNACL: Type: AWS::EC2::NetworkAcl Properties: VpcId: vpc-1122334455aabbccd Tags: - Key: Name Value: NACLforSSHTraffic InboundRule: Type: AWS::EC2::NetworkAclEntry Properties: NetworkAclId: Ref: MyNACL RuleNumber: 100 Protocol: 6 RuleAction: allow CidrBlock: 172.16.0.0/24 PortRange: From: 22 To: 22 OutboundRule: Type: AWS::EC2::NetworkAclEntry Properties: NetworkAclId: Ref: MyNACL RuleNumber: 100 Protocol: -1 Egress: true RuleAction: allow CidrBlock: 0.0.0.0/0

See also