AWS::EC2::NetworkAclEntry - Amazon CloudFormation
SyntaxPropertiesReturn valuesExamplesSee also
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

AWS::EC2::NetworkAclEntry

Specifies an entry, known as a rule, in a network ACL with a rule number you specify. Each network ACL has a set of numbered ingress rules and a separate set of numbered egress rules.

For information about the protocol value, see Protocol Numbers on the Internet Assigned Numbers Authority (IANA) website.

Syntax

To declare this entity in your Amazon CloudFormation template, use the following syntax:

JSON

{
  "Type" : "AWS::EC2::NetworkAclEntry",
  "Properties" : {
      "CidrBlock" : String,
      "Egress" : Boolean,
      "Icmp" : Icmp,
      "Ipv6CidrBlock" : String,
      "NetworkAclId" : String,
      "PortRange" : PortRange,
      "Protocol" : Integer,
      "RuleAction" : String,
      "RuleNumber" : Integer
    }
}

YAML

Type: AWS::EC2::NetworkAclEntry
Properties: 
  CidrBlock: String
  Egress: Boolean
  Icmp: 
    Icmp
  Ipv6CidrBlock: String
  NetworkAclId: String
  PortRange: 
    PortRange
  Protocol: Integer
  RuleAction: String
  RuleNumber: Integer

Properties

CidrBlock

The IPv4 CIDR range to allow or deny, in CIDR notation (for example, 172.16.0.0/24). Requirement is conditional: You must specify the CidrBlock or Ipv6CidrBlock property.

Required: No

Type: String

Update requires: No interruption

Egress

Whether this rule applies to egress traffic from the subnet (true) or ingress traffic to the subnet (false). By default, Amazon CloudFormation specifies false.

Required: No

Type: Boolean

Update requires: Replacement

Icmp

The Internet Control Message Protocol (ICMP) code and type. Requirement is conditional: Required if specifying 1 (ICMP) for the protocol parameter.

Required: No

Type: Icmp

Update requires: No interruption

Ipv6CidrBlock

The IPv6 network range to allow or deny, in CIDR notation. Requirement is conditional: You must specify the CidrBlock or Ipv6CidrBlock property.

Required: No

Type: String

Update requires: No interruption

NetworkAclId

The ID of the ACL for the entry.

Required: Yes

Type: String

Update requires: Replacement

PortRange

The range of port numbers for the UDP/TCP protocol. Conditional required if specifying 6 (TCP) or 17 (UDP) for the protocol parameter.

Required: No

Type: PortRange

Update requires: No interruption

Protocol

The IP protocol that the rule applies to. You must specify -1 or a protocol number. You can specify -1 for all protocols.

Note

If you specify -1, all ports are opened and the PortRange property is ignored.

Required: Yes

Type: Integer

Update requires: No interruption

RuleAction

Whether to allow or deny traffic that matches the rule; valid values are "allow" or "deny".

Required: Yes

Type: String

Allowed values: allow | deny

Update requires: No interruption

RuleNumber

Rule number to assign to the entry, such as 100. ACL entries are processed in ascending order by rule number. Entries can't use the same rule number unless one is an egress rule and the other is an ingress rule.

Required: Yes

Type: Integer

Update requires: Replacement

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Reffunction, Refreturns the resource name.

For more information about using the Reffunction, see Ref.

Fn::GetAtt

The Fn::GetAttintrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAttintrinsic function, see Fn::GetAtt.

Id

The ID of the network ACL entry.

Examples

Network ACL entries for inbound and outbound traffic

The following example creates a network ACL, and creates two entries in the NACL. The first entry allows inbound SSH traffic from the specified network. The second entry allows all outbound IPv4 traffic.

JSON

{
    "Resources": {
        "MyNACL": {
            "Type": "AWS::EC2::NetworkAcl",
            "Properties": {
                "VpcId": "vpc-1122334455aabbccd",
                "Tags": [
                    {
                        "Key": "Name",
                        "Value": "NACLforSSHTraffic"
                    }
                ]
            }
        },
        "InboundRule": {
            "Type": "AWS::EC2::NetworkAclEntry",
            "Properties": {
                "NetworkAclId": {
                    "Ref": "MyNACL"
                },
                "RuleNumber": 100,
                "Protocol": 6,
                "RuleAction": "allow",
                "CidrBlock": "172.16.0.0/24",
                "PortRange": {
                    "From": 22,
                    "To": 22
                }
            }
        },
        "OutboundRule": {
            "Type": "AWS::EC2::NetworkAclEntry",
            "Properties": {
                "NetworkAclId": {
                    "Ref": "MyNACL"
                },
                "RuleNumber": 100,
                "Protocol": -1,
                "Egress": true,
                "RuleAction": "allow",
                "CidrBlock": "0.0.0.0/0"
            }
        }
    }
}

YAML

Resources:
  MyNACL:
    Type: AWS::EC2::NetworkAcl
    Properties:
       VpcId: vpc-1122334455aabbccd
       Tags:
       - Key: Name
         Value: NACLforSSHTraffic
  InboundRule:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
       NetworkAclId:
         Ref: MyNACL
       RuleNumber: 100
       Protocol: 6
       RuleAction: allow
       CidrBlock: 172.16.0.0/24
       PortRange:
         From: 22
         To: 22
  OutboundRule:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
       NetworkAclId:
         Ref: MyNACL
       RuleNumber: 100
       Protocol: -1
       Egress: true
       RuleAction: allow
       CidrBlock: 0.0.0.0/0

See also