AWS::EC2::NetworkAclEntry - AWS CloudFormation
SyntaxPropertiesReturn valuesExamplesSee also

AWS::EC2::NetworkAclEntry

Specifies an entry, known as a rule, in a network ACL with a rule number you specify. Each network ACL has a set of numbered ingress rules and a separate set of numbered egress rules.

To create the network ACL, see AWS::EC2::NetworkAcl.

For information about the protocol value, see Protocol Numbers on the Internet Assigned Numbers Authority (IANA) website.

Syntax

To declare this entity in your AWS CloudFormation template, use the following syntax:

JSON

{
  "Type" : "AWS::EC2::NetworkAclEntry",
  "Properties" : {
      "CidrBlock" : String,
      "Egress" : Boolean,
      "Icmp" : Icmp,
      "Ipv6CidrBlock" : String,
      "NetworkAclId" : String,
      "PortRange" : PortRange,
      "Protocol" : Integer,
      "RuleAction" : String,
      "RuleNumber" : Integer
    }
}

YAML

Type: AWS::EC2::NetworkAclEntry
Properties:
  CidrBlock: String
  Egress: Boolean
  Icmp: 
    Icmp
  Ipv6CidrBlock: String
  NetworkAclId: String
  PortRange: 
    PortRange
  Protocol: Integer
  RuleAction: String
  RuleNumber: Integer

Properties

CidrBlock

The IPv4 CIDR range to allow or deny, in CIDR notation (for example, 172.16.0.0/24). You must specify an IPv4 CIDR block or an IPv6 CIDR block.

Required: Conditional

Type: String

Update requires: No interruption

Egress

Whether this rule applies to egress traffic from the subnet (true) or ingress traffic to the subnet (false). By default, AWS CloudFormation specifies false.

Required: No

Type: Boolean

Update requires: Replacement

Icmp

The Internet Control Message Protocol (ICMP) code and type. Required if specifying 1 (ICMP) for the protocol parameter.

Required: Conditional

Type: Icmp

Update requires: No interruption

Ipv6CidrBlock

The IPv6 network range to allow or deny, in CIDR notation. You must specify an IPv4 CIDR block or an IPv6 CIDR block.

Required: Conditional

Type: String

Update requires: No interruption

NetworkAclId

The ID of the ACL for the entry.

Required: Yes

Type: String

Update requires: Replacement

PortRange

The range of port numbers for the UDP/TCP protocol. Required if specifying 6 (TCP) or 17 (UDP) for the protocol parameter.

Required: Conditional

Type: PortRange

Update requires: No interruption

Protocol

The IP protocol that the rule applies to. You must specify -1 or a protocol number. You can specify -1 for all protocols.

Note

If you specify -1, all ports are opened and the PortRange property is ignored.

Required: Yes

Type: Integer

Update requires: No interruption

RuleAction

Whether to allow or deny traffic that matches the rule; valid values are "allow" or "deny".

Required: Yes

Type: String

Allowed values: allow | deny

Update requires: No interruption

RuleNumber

Rule number to assign to the entry, such as 100. ACL entries are processed in ascending order by rule number. Entries can't use the same rule number unless one is an egress rule and the other is an ingress rule.

Required: Yes

Type: Integer

Update requires: Replacement

Return values

Ref

When you pass the logical ID of this resource to the intrinsic Ref function, Ref returns the ID of the network ACL entry.

For more information about using the Ref function, see Ref.

Fn::GetAtt

The Fn::GetAtt intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values.

For more information about using the Fn::GetAtt intrinsic function, see Fn::GetAtt.

Id

The ID of the network ACL entry.

Examples

Network ACL entries for inbound and outbound traffic

The following example creates a network ACL, and creates two entries in the NACL. The first entry allows inbound SSH traffic from the specified network. The second entry allows all outbound IPv4 traffic.

JSON

{
    "Resources": {
        "MyNACL": {
            "Type": "AWS::EC2::NetworkAcl",
            "Properties": {
                "VpcId": "vpc-1122334455aabbccd",
                "Tags": [
                    {
                        "Key": "Name",
                        "Value": "NACLforSSHTraffic"
                    }
                ]
            }
        },
        "InboundRule": {
            "Type": "AWS::EC2::NetworkAclEntry",
            "Properties": {
                "NetworkAclId": {
                    "Ref": "MyNACL"
                },
                "RuleNumber": 100,
                "Protocol": 6,
                "RuleAction": "allow",
                "CidrBlock": "172.16.0.0/24",
                "PortRange": {
                    "From": 22,
                    "To": 22
                }
            }
        },
        "OutboundRule": {
            "Type": "AWS::EC2::NetworkAclEntry",
            "Properties": {
                "NetworkAclId": {
                    "Ref": "MyNACL"
                },
                "RuleNumber": 100,
                "Protocol": -1,
                "Egress": true,
                "RuleAction": "allow",
                "CidrBlock": "0.0.0.0/0"
            }
        }
    }
}

YAML

Resources:
  MyNACL:
    Type: AWS::EC2::NetworkAcl
    Properties:
       VpcId: vpc-1122334455aabbccd
       Tags:
       - Key: Name
         Value: NACLforSSHTraffic
  InboundRule:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
       NetworkAclId:
         Ref: MyNACL
       RuleNumber: 100
       Protocol: 6
       RuleAction: allow
       CidrBlock: 172.16.0.0/24
       PortRange:
         From: 22
         To: 22
  OutboundRule:
    Type: AWS::EC2::NetworkAclEntry
    Properties:
       NetworkAclId:
         Ref: MyNACL
       RuleNumber: 100
       Protocol: -1
       Egress: true
       RuleAction: allow
       CidrBlock: 0.0.0.0/0

See also