create_network_acl_entry ( $network_acl_id, $rule_number, $protocol, $rule_action, $egress, $cidr_block, $opt )

Creates an entry (i.e., rule) in a network ACL with a rule number you specify. Each network ACL has a set of numbered ingress rules and a separate set of numbered egress rules. When determining whether a packet should be allowed in or out of a subnet associated with the ACL, Amazon VPC processes the entries in the ACL according to the rule numbers, in ascending order.

Important: We recommend that you leave room between the rules (e.g., 100, 110, 120, etc.), and not number them sequentially (101, 102, 103, etc.). This allows you to easily add a new rule between existing ones without having to renumber the rules.

After you add an entry, you can’t modify it; you must either replace it, or create a new entry and delete the old one.

For more information about network ACLs, go to Network ACLs in the Amazon Virtual Private Cloud User Guide.

Access

public

Parameters

Parameter

Type

Required

Description

$network_acl_id

string

Required

ID of the ACL where the entry will be created.

$rule_number

integer

Required

Rule number to assign to the entry (e.g., 100). ACL entries are processed in ascending order by rule number.

$protocol

string

Required

IP protocol the rule applies to. Valid Values: tcp, udp, icmp or an IP protocol number.

$rule_action

string

Required

Whether to allow or deny traffic that matches the rule. [Allowed values: allow, deny]

$egress

boolean

Required

Whether this rule applies to egress traffic from the subnet (true) or ingress traffic to the subnet (false).

$cidr_block

string

Required

The CIDR range to allow or deny, in CIDR notation (e.g., 172.16.0.0/24).

$opt

array

Optional

An associative array of parameters that can have the following keys:

  • Icmp - array - Optional - ICMP values.
    • x - array - Optional - This represents a simple array index.
      • Type - integer - Optional - For the ICMP protocol, the ICMP type. A value of -1 is a wildcard meaning all types. Required if specifying icmp for the protocol.
      • Code - integer - Optional - For the ICMP protocol, the ICMP code. A value of -1 is a wildcard meaning all codes. Required if specifying icmp for the protocol.
  • PortRange - array - Optional - Port ranges.
    • x - array - Optional - This represents a simple array index.
      • From - integer - Optional - The first port in the range. Required if specifying tcp or udp for the protocol.
      • To - integer - Optional - The last port in the range. Required if specifying tcp or udp for the protocol.
  • curlopts - array - Optional - A set of values to pass directly into curl_setopt(), where the key is a pre-defined CURLOPT_* constant.
  • returnCurlHandle - boolean - Optional - A private toggle specifying that the cURL handle be returned rather than actually completing the request. This toggle is useful for manually managed batch requests.

Returns

Type

Description

CFResponse

A CFResponse object containing a parsed HTTP response.

Examples

Create a new entry in the Network Access Control List (ACL).

$ec2 = new AmazonEC2();

$tcp = 6;
$response = $ec2->create_network_acl_entry('acl-4abf3f23', 1, $tcp, 'allow', 'true', '172.16.0.0/24', array(
	'PortRange' => array(
		'From' => 80,
		'To' => 80
	)
));

var_dump($response->isOK());
Result:
bool(true)

Related Methods

Source

Method defined in services/ec2.class.php | Toggle source view (30 lines) | View on GitHub

public function create_network_acl_entry($network_acl_id, $rule_number, $protocol, $rule_action, $egress, $cidr_block, $opt = null)
{
    if (!$opt) $opt = array();
    $opt['NetworkAclId'] = $network_acl_id;
    $opt['RuleNumber'] = $rule_number;
    $opt['Protocol'] = $protocol;
    $opt['RuleAction'] = $rule_action;
    $opt['Egress'] = $egress;
    $opt['CidrBlock'] = $cidr_block;
    
    // Optional map (non-list)
    if (isset($opt['Icmp']))
    {
        $opt = array_merge($opt, CFComplexType::map(array(
            'Icmp' => $opt['Icmp']
        )));
        unset($opt['Icmp']);
    }
    
    // Optional map (non-list)
    if (isset($opt['PortRange']))
    {
        $opt = array_merge($opt, CFComplexType::map(array(
            'PortRange' => $opt['PortRange']
        )));
        unset($opt['PortRange']);
    }

    return $this->authenticate('CreateNetworkAclEntry', $opt);
}

Copyright © 2010–2013 Amazon Web Services, LLC


Feedback