This is the new *CloudFormation Template Reference Guide*. Please update your bookmarks and links. For help getting started with CloudFormation, see the [AWS CloudFormation User Guide](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/Welcome.html). # AWS::EC2::NetworkAclEntry Specifies an entry, known as a rule, in a network ACL with a rule number you specify. Each network ACL has a set of numbered ingress rules and a separate set of numbered egress rules. To create the network ACL, see [AWS::EC2::NetworkAcl](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-networkacl.html). For information about the protocol value, see [Protocol Numbers](https://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml) on the Internet Assigned Numbers Authority (IANA) website. ## Syntax To declare this entity in your CloudFormation template, use the following syntax: ### JSON ``` { "Type" : "AWS::EC2::NetworkAclEntry", "Properties" : { "[CidrBlock](#cfn-ec2-networkaclentry-cidrblock)" : {{String}}, "[Egress](#cfn-ec2-networkaclentry-egress)" : {{Boolean}}, "[Icmp](#cfn-ec2-networkaclentry-icmp)" : {{Icmp}}, "[Ipv6CidrBlock](#cfn-ec2-networkaclentry-ipv6cidrblock)" : {{String}}, "[NetworkAclId](#cfn-ec2-networkaclentry-networkaclid)" : {{String}}, "[PortRange](#cfn-ec2-networkaclentry-portrange)" : {{PortRange}}, "[Protocol](#cfn-ec2-networkaclentry-protocol)" : {{Integer}}, "[RuleAction](#cfn-ec2-networkaclentry-ruleaction)" : {{String}}, "[RuleNumber](#cfn-ec2-networkaclentry-rulenumber)" : {{Integer}} } } ``` ### YAML ``` Type: AWS::EC2::NetworkAclEntry Properties: [CidrBlock](#cfn-ec2-networkaclentry-cidrblock): {{String}} [Egress](#cfn-ec2-networkaclentry-egress): {{Boolean}} [Icmp](#cfn-ec2-networkaclentry-icmp): {{ Icmp}} [Ipv6CidrBlock](#cfn-ec2-networkaclentry-ipv6cidrblock): {{String}} [NetworkAclId](#cfn-ec2-networkaclentry-networkaclid): {{String}} [PortRange](#cfn-ec2-networkaclentry-portrange): {{ PortRange}} [Protocol](#cfn-ec2-networkaclentry-protocol): {{Integer}} [RuleAction](#cfn-ec2-networkaclentry-ruleaction): {{String}} [RuleNumber](#cfn-ec2-networkaclentry-rulenumber): {{Integer}} ``` ## Properties `CidrBlock` The IPv4 CIDR range to allow or deny, in CIDR notation (for example, 172.16.0.0/24). You must specify an IPv4 CIDR block or an IPv6 CIDR block. *Required*: Conditional *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Egress` Whether this rule applies to egress traffic from the subnet (`true`) or ingress traffic to the subnet (`false`). By default, AWS CloudFormation specifies `false`. *Required*: No *Type*: Boolean *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `Icmp` The Internet Control Message Protocol (ICMP) code and type. Required if specifying 1 (ICMP) for the protocol parameter. *Required*: Conditional *Type*: [Icmp](aws-properties-ec2-networkaclentry-icmp.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Ipv6CidrBlock` The IPv6 network range to allow or deny, in CIDR notation. You must specify an IPv4 CIDR block or an IPv6 CIDR block. *Required*: Conditional *Type*: String *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `NetworkAclId` The ID of the ACL for the entry. *Required*: Yes *Type*: String *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) `PortRange` The range of port numbers for the UDP/TCP protocol. Required if specifying 6 (TCP) or 17 (UDP) for the protocol parameter. *Required*: Conditional *Type*: [PortRange](aws-properties-ec2-networkaclentry-portrange.md) *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `Protocol` The IP protocol that the rule applies to. You must specify -1 or a protocol number. You can specify -1 for all protocols. If you specify -1, all ports are opened and the `PortRange` property is ignored. *Required*: Yes *Type*: Integer *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RuleAction` Whether to allow or deny traffic that matches the rule; valid values are "allow" or "deny". *Required*: Yes *Type*: String *Allowed values*: `allow | deny` *Update requires*: [No interruption](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-no-interrupt) `RuleNumber` Rule number to assign to the entry, such as 100. ACL entries are processed in ascending order by rule number. Entries can't use the same rule number unless one is an egress rule and the other is an ingress rule. *Required*: Yes *Type*: Integer *Update requires*: [Replacement](https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-update-behaviors.html#update-replacement) ## Return values ### Ref When you pass the logical ID of this resource to the intrinsic `Ref` function, `Ref` returns the ID of the network ACL entry. For more information about using the `Ref` function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-ref.html). ### Fn::GetAtt The `Fn::GetAtt` intrinsic function returns a value for a specified attribute of this type. The following are the available attributes and sample return values. For more information about using the `Fn::GetAtt` intrinsic function, see [https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html](https://docs.aws.amazon.com/AWSCloudFormation/latest/TemplateReference/intrinsic-function-reference-getatt.html). #### `Id` The ID of the network ACL entry. ## Examples ### Network ACL entries for inbound and outbound traffic The following example creates a network ACL, and creates two entries in the NACL. The first entry allows inbound SSH traffic from the specified network. The second entry allows all outbound IPv4 traffic. #### JSON ``` { "Resources": { "MyNACL": { "Type": "AWS::EC2::NetworkAcl", "Properties": { "VpcId": "vpc-1122334455aabbccd", "Tags": [ { "Key": "Name", "Value": "NACLforSSHTraffic" } ] } }, "InboundRule": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": { "Ref": "MyNACL" }, "RuleNumber": 100, "Protocol": 6, "RuleAction": "allow", "CidrBlock": "172.16.0.0/24", "PortRange": { "From": 22, "To": 22 } } }, "OutboundRule": { "Type": "AWS::EC2::NetworkAclEntry", "Properties": { "NetworkAclId": { "Ref": "MyNACL" }, "RuleNumber": 100, "Protocol": -1, "Egress": true, "RuleAction": "allow", "CidrBlock": "0.0.0.0/0" } } } } ``` #### YAML ``` Resources: MyNACL: Type: AWS::EC2::NetworkAcl Properties: VpcId: vpc-1122334455aabbccd Tags: - Key: Name Value: NACLforSSHTraffic InboundRule: Type: AWS::EC2::NetworkAclEntry Properties: NetworkAclId: Ref: MyNACL RuleNumber: 100 Protocol: 6 RuleAction: allow CidrBlock: 172.16.0.0/24 PortRange: From: 22 To: 22 OutboundRule: Type: AWS::EC2::NetworkAclEntry Properties: NetworkAclId: Ref: MyNACL RuleNumber: 100 Protocol: -1 Egress: true RuleAction: allow CidrBlock: 0.0.0.0/0 ``` ## See also + [NetworkAclEntry](https://docs.aws.amazon.com/AWSEC2/latest/APIReference/ApiReference-query-CreateNetworkAclEntry.html) in the *Amazon EC2 API Reference* + [Network ACLs](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html) in the *Amazon VPC User Guide*