Did this page help you? Yes No Tell us about it...

CreateNetworkAclEntry

Description

Creates an entry (i.e., rule) in a network ACL with a rule number you specify. Each network ACL has a set of numbered ingress rules and a separate set of numbered egress rules. When determining whether a packet should be allowed in or out of a subnet associated with the ACL, Amazon VPC processes the entries in the ACL according to the rule numbers, in ascending order.

	Important
	We recommend that you leave room between the rule numbers (e.g., 100, 110, 120, etc.), and not number them one right after the other (e.g., 101, 102, 103, etc.). This allows you to easily add a new rule between existing ones without having to renumber the rules.

After you add an entry, you can't modify it; you must either replace it, or create a new entry and delete the old one.

For more information about network ACLs, go to Network ACLs in the Amazon Virtual Private Cloud User Guide.

Request Parameters

Name	Description	Required
`NetworkAclId`	ID of the ACL where the entry will be created. Type: String Default: None	Yes
`RuleNumber`	Rule number to assign to the entry (e.g., 100). ACL entries are processed in ascending order by rule number. Type: Integer Default: None Constraints: Positive integer from 1 to 32766	Yes
`Protocol`	IP protocol the rule applies to. You can use -1 to mean all protocols. Type: Integer Valid Values: `-1` or a protocol number (go to Protocol Numbers).	Yes
`RuleAction`	Whether to allow or deny traffic that matches the rule. Type: String Default: None Valid Values: `allow` \| `deny`	Yes
`Egress`	Whether this rule applies to egress traffic from the subnet (`true`) or ingress traffic to the subnet (`false`). Type: Boolean Default: `false` Valid Values: `true` \| `false`	No
`CidrBlock`	The CIDR range to allow or deny, in CIDR notation (e.g., 172.16.0.0/24). Type: String Default: None	Yes
`Icmp.Code`	For the ICMP protocol, the ICMP code. You can use -1 to specify all ICMP codes for the given ICMP type. Type: Integer Default: None Condition: Required if specifying `1` (ICMP) for the protocol.	Conditional
`Icmp.Type`	For the ICMP protocol, the ICMP type. You can use -1 to specify all ICMP types. Type: Integer Default: None Condition: Required if specifying `1` (ICMP) for the protocol.	Conditional
`PortRange.From`	The first port in the range. Type: Integer Default: None Condition: Required if specifying `6` (TCP) or `17` (UDP) for the protocol.	Conditional
`PortRange.To`	The last port in the range. Type: Integer Default: None Condition: Required if specifying `6` (TCP) or `17` (UDP) for the protocol.	Conditional

Response Elements

The elements in the following table are wrapped in a CreateNetworkAclEntryResponse structure.

Name Description

Name	Description
`requestId`	The ID of the request. Type: String
`return`	Returns true if the request succeeds. Otherwise, returns an error. Type: xsd:boolean

requestId

The ID of the request.

Type: String

return

Returns true if the request succeeds. Otherwise, returns an error.

Type: xsd:boolean

Examples

Example Request

This example creates an entry with rule number 110 in the network ACL with ID acl-2cb85d45. The rule allows ingress traffic from anywhere (0.0.0.0/0) on UDP port 53 into any associated subnet.

https://ec2.amazonaws.com/?Action=CreateNetworkAclEntry
&NetworkAclId=acl-2cb85d45
&RuleNumber=110
&Protocol=udp
&RuleAction=allow
&Egress=false
&CidrBlock=0.0.0.0/0
&PortRange.From=53
&PortRange.To=53
&AUTHPARAMS

Example Response

<CreateNetworkAclEntryResponse xmlns="http://ec2.amazonaws.com/doc/2012-04-01/">
   <requestId>59dbff89-35bd-4eac-99ed-be587EXAMPLE</requestId> 
   <return>true</return>
</CreateNetworkAclEntryResponse>

Document Conventions
Terms of Use