ec2-create-network-acl-entry

Description

Creates an entry (i.e., rule) in a network ACL with a rule number you specify. Each network ACL has a set of numbered ingress rules and a separate set of numbered egress rules. When determining whether a packet should be allowed in or out of a subnet, Amazon VPC processes the entries in the ACL according to the rule numbers, in ascending order. Each network ACL has a set of ingress rules and a separate set of egress rules.

	Important
	We recommend that you leave room between the rule numbers (e.g., 100, 110, 120, etc.), and not number them one right after the other (e.g., 101, 102, 103, etc.). This allows you to easily add a new rule between existing ones without having to renumber the rules.

After you add an entry, you can't modify it; you must either replace it or create a new entry and delete the old one.

For more information about network ACLs, go to Network ACLs in the Amazon Virtual Private Cloud User Guide.

The short version of this command is ec2addnae.

Syntax

ec2-create-network-acl-entry acl_id -n rule_number [--egress] -P protocol -r cidr [-p port_range] [-t icmp_type_code] { --allow | --deny }

Options

Name	Description	Required
`acl_id`	ID of the ACL where the entry will be created. Type: String Default: None Example: acl-5fb85d36	Yes
`-n, --rule-number` `rule_number`	Rule number to assign to the entry (e.g., 100). ACL entries are processed in ascending order by rule number. Type: Number Default: None Constraints: Positive integer from 1 to 32766 Example: -n 100	Yes
`--egress`	Optional flag to designate the rule be applied to traffic leaving the subnet. Default: If not specified, rule applies to ingress traffic into the subnet.	No
`-P, --protocol` `protocol`	IP protocol. You can specify `all` or `-1` to mean all protocols. Type: String Valid Values: `all` \| `-1` \| `tcp` \| `udp` \| `icmp` or any protocol number (for a list, go to Protocol Numbers). Example: -P 6	Yes
`-r, --cidr` `cidr`	The CIDR range to allow or deny, in CIDR notation. Type: String Default: None Example: -r 172.16.0.0/24	Yes
`-p, --port-range` `port_range`	For the TCP or UDP protocols, this specifies the range of ports to allow. Type: String Default: None Valid Values: A single integer or a range (min-max). You can specify -1 to mean all ports (i.e. port range 0-65535). Condition: Required if specifying `tcp` or `udp` (or the equivalent number) for the protocol. Example: -p 80-84	Conditional
`-t, --icmp-type-code` `icmp_type_code`	For the ICMP protocol, this specifies the ICMP type and code using format `type:code`, where both are integers. You can use -1 for the type or code to mean all types or all codes Type: String Default: None Condition: Required if specifying `icmp` (or the equivalent number) for the protocol. Example: -t -1:-1	Conditional
`--allow`	Specifies that any traffic matching the rule is allowed. Condition: Either --allow or --deny must be specified, but not both.	Conditional
`--deny`	Specifies that any traffic matching the rule is denied. Condition: Either --allow or --deny must be specified, but not both.	Conditional

Common Options

Option	Description
`--region` `REGION`	Overrides the Region specified in the `EC2_URL` environment variable and the URL specified by the `-U` option. Default: The `EC2_URL` environment variable, or `us-east-1` if the environment variable is not set. Example: `--region eu-west-1`
`-U, --url` `URL`	`URL` is the uniform resource locator of the Amazon EC2 web service entry point. Default: The `EC2_URL` environment variable, or https://ec2.amazonaws.com if the environment variable is not set. Example: `-U https://ec2.amazonaws.com`
`-K, --private-key` `EC2-PRIVATE-KEY`	The private key to use when constructing requests to Amazon EC2. Default: The value of the `EC2_PRIVATE_KEY` environment variable. Example: `-K pk-HKZYKTAIG2ECMXYIBH3HXV4ZBEXAMPLE.pem`
`-C, --cert` `EC2-CERT`	The X.509 certificate to use when constructing requests to Amazon EC2. Default: The value of the `EC2_CERT` environment variable. Example: `-C cert-HKZYKTAIG2ECMXYIBH3HXV4ZBEXAMPLE.pem`
`--connection-timeout` `TIMEOUT`	Specifies a connection timeout (in seconds). Example: --connection-timeout 30
`--request-timeout` `TIMEOUT`	Specifies a request timeout (in seconds). Example: --request-timeout 45
`-v, --verbose`	Displays verbose output by showing the SOAP request and response on the command line. This is particularly useful if you are building tools to talk directly to our SOAP API.
`-H, --headers`	Displays column headers in the output.
`--show-empty-fields`	Shows empty columns as `(nil)`.
`--hide-tags`	Do not display tags for tagged resources.
`--debug`	Prints internal debugging information. This is useful to assist us when troubleshooting problems.
`-?, --help, -h`	Displays Help.
`-`	If `-` is specified as an argument to one of the parameters, a list of arguments is read from standard input. This is useful for piping the output of one command into the input of another. Example: `ec2-describe-instances \| grep stopped \| cut -f 2 \| ec2-start-instances -`

Output

The command returns a table that contains the following information:

Boolean true or false

Amazon EC2 command line tools display errors on stderr.

Examples

Example Request

This example creates an entry with rule number 100 in the network ACL with ID acl-2cb85d45. The rule allows ingress traffic from anywhere (0.0.0.0/0) on UDP port 53 into the subnet.

PROMPT> ec2-create-network-acl-entry acl-2cb85d45 -n 100 -r 0.0.0.0/0 -P udp -p 53 --allow
ENTRY   ingress 100     allow   0.0.0.0/0       udp                     53      53