All Products
Search

This Product

    Resource Orchestration Service:ALIYUN::ENS::NetworkAcl

    Document Center

    Resource Orchestration Service:ALIYUN::ENS::NetworkAcl

    Last Updated:Jun 06, 2024

    ALIYUN::ENS::NetworkAcl is used to create a network access control list (ACL).

    Syntax

    {
  "Type": "ALIYUN::ENS::NetworkAcl",
  "Properties": {
    "AclEntries": List,
    "Description": String,
    "NetworkAclName": String
  }
}

    Properties

    Property

    Type

    Required

    Editable

    Description

    Constraint

    AclEntries

    List

    No

    Yes

    The rules of the network ACL.

    You can configure up to 40 rules. For more information, see AclEntries properties.

    Description

    String

    No

    No

    The description of the network ACL.

    The description must be 1 to 256 characters in length. It cannot start with http:// or https://.

    NetworkAclName

    String

    No

    No

    The name of the network ACL.

    The name must be 1 to 128 characters in length. It cannot start with http:// or https://.

    AclEntries syntax

    "AclEntries": [
  {
    "Policy": String,
    "PortRange": String,
    "Description": String,
    "Priority": Integer,
    "CidrBlock": String,
    "Protocol": String,
    "NetworkAclEntryName": String,
    "Direction": String
  }
]

    AclEntries properties

    Property

    Type

    Required

    Editable

    Description

    Constraint

    CidrBlock

    String

    Yes

    Yes

    The source CIDR block.

    None.

    Direction

    String

    Yes

    Yes

    The direction in which the rule is applied.

    Valid values:

    • ingress: inbound

    • egress: outbound

    Policy

    String

    Yes

    Yes

    The action to be performed on network traffic that matches the rule.

    Valid values:

    • accept: allows network traffic.

    • drop: denies network traffic.

    PortRange

    String

    Yes

    Yes

    The port range.

    • Valid value when Protocol is set to all or icmp: -1/-1. A value of -1/-1 specifies all ports.

    • Value format when Protocol is set to tcp or udp: X/Y. X specifies the start port and Y specifies the end port. X and Y range from 1 to 65535. For example, 1/200 specifies port 1 to port 200 and 80/80 specifies port 80.

    Priority

    Integer

    Yes

    Yes

    The priority of the rule.

    Valid values: 1 to 100. Default value: 1.

    Protocol

    String

    Yes

    Yes

    The protocol type.

    Valid values:

    • icmp

    • tcp

    • udp

    • all

    Description

    String

    No

    No

    The description of the network ACL.

    The description must be 1 to 256 characters in length. It cannot start with http:// or https://.

    NetworkAclEntryName

    String

    No

    No

    The rule name.

    The name must be 1 to 128 characters in length and cannot start with http:// or https://.

    Return values

    Fn::GetAtt

    NetworkAclId: the ID of the network ACL.

    Examples

    YAML format

    ROSTemplateFormatVersion: '2015-09-01'
Parameters:
  AclEntries:
    AssociationPropertyMetadata:
      Parameters:
        Policy:
          Type: String
          Description:
            en: |-
              The action that is performed on network traffic that matches the rule. Valid values: 
              accept: allows network traffic.
              drop: blocks network traffic.
          AllowedValues:
            - accept
            - drop
          Required: true
        PortRange:
          Type: String
          Description:
            en: The port range. If you set Protocol to all or icmp, set this parameter to -1/-1, which specifies all ports. If you set Protocol to tcp or udp, the port can be 1 to 65535. You can set this parameter to 1/200 or 80/80, which specifies ports 1 to 200 or port 80.
          Required: true
        Description:
          AssociationProperty: TextArea
          Type: String
          Description:
            en: The description of the network ACL. The description must be 1 to 256 characters in length and cannot start with http:// or https://.
          Required: false
        Priority:
          Type: Number
          Description:
            en: 'The priority of the rule. Valid values: 1 to 100. Default value: 1.'
          Required: true
          MinValue: 1
          MaxValue: 100
        CidrBlock:
          Type: String
          Description:
            en: The source CIDR block.
          Required: true
        NetworkAclEntryName:
          Type: String
          Description:
            en: The name of the rule. The name must be 1 to 128 characters in length and cannot start with http:// or https://.
          Required: false
        Protocol:
          Type: String
          Description:
            en: |-
              The protocol. Valid values: icmp: ICMP
              tcp: TCP
              udp: UDP
              all: all protocols
          AllowedValues:
            - icmp
            - tcp
            - udp
            - all
          Required: true
        Direction:
          Type: String
          Description:
            en: |-
              Specifies whether the ACL rule controls inbound or outbound access requests. Valid values: 
              ingress
              egress
          AllowedValues:
            - ingress
            - egress
          Required: true
    AssociationProperty: List[Parameters]
    Type: Json
    Description:
      en: The entry of Network ACL.
    Required: false
    MaxLength: 40
  NetworkAclName:
    Type: String
    Description:
      en: |-
        Enter a name for the network ACL.
        The name must be 1 to 128 characters in length and cannot start with http:// or https://.
    Required: false
Resources:
  NetworkAcl:
    Type: ALIYUN::ENS::NetworkAcl
    Properties:
      AclEntries:
        Ref: AclEntries
      NetworkAclName:
        Ref: NetworkAclName
Outputs:
  NetworkAclId:
    Description: The ID of the network ACL.
    Value:
      Fn::GetAtt:
        - NetworkAcl
        - NetworkAclId

    JSON format

    {
  "ROSTemplateFormatVersion": "2015-09-01",
  "Parameters": {
    "AclEntries": {
      "AssociationPropertyMetadata": {
        "Parameters": {
          "Policy": {
            "Type": "String",
            "Description": {
              "en": "The action that is performed on network traffic that matches the rule. Valid values: \naccept: allows network traffic.\ndrop: blocks network traffic."
            },
            "AllowedValues": [
              "accept",
              "drop"
            ],
            "Required": true
          },
          "PortRange": {
            "Type": "String",
            "Description": {
              "en": "The port range. If you set Protocol to all or icmp, set this parameter to -1/-1, which specifies all ports. If you set Protocol to tcp or udp, the port can be 1 to 65535. You can set this parameter to 1/200 or 80/80, which specifies ports 1 to 200 or port 80."
            },
            "Required": true
          },
          "Description": {
            "AssociationProperty": "TextArea",
            "Type": "String",
            "Description": {
              "en": "The description of the network ACL. The description must be 1 to 256 characters in length and cannot start with http:// or https://."
            },
            "Required": false
          },
          "Priority": {
            "Type": "Number",
            "Description": {
              "en": "The priority of the rule. Valid values: 1 to 100. Default value: 1."
            },
            "Required": true,
            "MinValue": 1,
            "MaxValue": 100
          },
          "CidrBlock": {
            "Type": "String",
            "Description": {
              "en": "The source CIDR block."
            },
            "Required": true
          },
          "NetworkAclEntryName": {
            "Type": "String",
            "Description": {
              "en": "The name of the rule. The name must be 1 to 128 characters in length and cannot start with http:// or https://."
            },
            "Required": false
          },
          "Protocol": {
            "Type": "String",
            "Description": {
              "en": "The protocol. Valid values: icmp: ICMP\ntcp: TCP\nudp: UDP\nall: all protocols"
            },
            "AllowedValues": [
              "icmp",
              "tcp",
              "udp",
              "all"
            ],
            "Required": true
          },
          "Direction": {
            "Type": "String",
            "Description": {
              "en": "Specifies whether the ACL rule controls inbound or outbound access requests. Valid values: \ningress\negress"
            },
            "AllowedValues": [
              "ingress",
              "egress"
            ],
            "Required": true
          }
        }
      },
      "AssociationProperty": "List[Parameters]",
      "Type": "Json",
      "Description": {
        "en": "The entry of Network ACL."
      },
      "Required": false,
      "MaxLength": 40
    },
    "NetworkAclName": {
      "Type": "String",
      "Description": {
        "en": "Enter a name for the network ACL.\nThe name must be 1 to 128 characters in length and cannot start with http:// or https://."
      },
      "Required": false
    }
  },
  "Resources": {
    "NetworkAcl": {
      "Type": "ALIYUN::ENS::NetworkAcl",
      "Properties": {
        "AclEntries": {
          "Ref": "AclEntries"
        },
        "NetworkAclName": {
          "Ref": "NetworkAclName"
        }
      }
    }
  },
  "Outputs": {
    "NetworkAclId": {
      "Description": "The ID of the network ACL.",
      "Value": {
        "Fn::GetAtt": [
          "NetworkAcl",
          "NetworkAclId"
        ]
      }
    }
  }
}