ALIYUN::VPC::NetworkAcl is used to create a network access control list (ACL).
Syntax
{
"Type": "ALIYUN::VPC::NetworkAcl",
"Properties": {
"NetworkAclName": String,
"Description": String,
"VpcId": String,
"EgressAclEntries": List,
"IngressAclEntries": List
}
}
Properties
Property | Type | Required | Editable | Description | Constraint |
---|---|---|---|---|---|
NetworkAclName | String | No | Yes | The name of the network ACL. | The name must be 2 to 128 characters in length and can contain letters, digits, underscores (_), and hyphens (-). It must start with a letter and cannot start with http:// or https:// . |
Description | String | No | Yes | The description of the network ACL. | The description must be 2 to 256 characters in length. It must start with a letter and cannot start with http:// or https:// . |
VpcId | String | Yes | No | The ID of the Virtual Private Cloud (VPC) to which you want to apply the network ACL. | You cannot create a network ACL for a VPC that contains instances of the following instance families: ecs.c1, ecs.c2, ecs.c4, ecs.c5, ecs.ce4, ecs.cm4, ecs.d1, ecs.e3, ecs.e4, ecs.ga1, ecs.gn4, ecs.gn5, ecs.i1, ecs.m1, ecs.m2, ecs.mn4, ecs.n1, ecs.n2, ecs.n4, ecs.s1, ecs.s2, ecs.s3, ecs.se1, ecs.sn1, ecs.sn2, ecs.t1, and ecs.xn4. To create a network ACL for such a VPC, you must upgrade the instance types first. For more information, see Change the instance type of a pay-as-you-go instance and Upgrade the instance types of subscription instances. Note If your VPC contains instances of the preceding instance families and you have created a network ACL, you must upgrade the instance types to ensure that the network ACL can take effect. |
IngressAclEntries | List | No | Yes | The inbound rules of the network ACL. | A maximum of 20 rules can be specified. For more information, see IngressAclEntries properties. |
EgressAclEntries | List | No | Yes | The outbound rules of the network ACL | A maximum of 20 rules can be specified. For more information, see EgressAclEntries properties. |
IngressAclEntries syntax
"IngressAclEntries": [
{
"Policy": String,
"Description": String,
"EntryType": String,
"SourceCidrIp": String,
"Port": String,
"Protocol": String,
"NetworkAclEntryName": String
}
]
IngressAclEntries properties
Property | Type | Required | Editable | Description | Constraint |
---|---|---|---|---|---|
Policy | String | Yes | Yes | The authorization policy. | Valid values:
|
Description | String | No | Yes | The description of the inbound rule. | The description must be 2 to 256 characters in length. It must start with a letter and cannot start with http:// or https:// . |
EntryType | String | No | Yes | The type of the rule. | Default value: custom. Valid values:
|
SourceCidrIp | String | No | Yes | The source CIDR block. | None |
Port | String | Yes | Yes | The range of source ports. | None |
Protocol | String | Yes | Yes | The transport layer protocol. | Valid values:
|
NetworkAclEntryName | String | No | Yes | The name of the inbound rule. | None |
EgressAclEntries syntax
"EgressAclEntries": [
{
"Policy": String,
"Description": String,
"EntryType": String,
"DestinationCidrIp": String,
"Port": String,
"Protocol": String,
"NetworkAclEntryName": String
}
]
EgressAclEntries properties
Property | Type | Required | Editable | Description | Constraint |
---|---|---|---|---|---|
Policy | String | Yes | Yes | The authorization policy. | Valid values:
|
Description | String | No | Yes | The description of the outbound rule. | The description must be 2 to 256 characters in length. It must start with a letter and cannot start with http:// or https:// . |
EntryType | String | No | Yes | The type of the rule. | Default value: custom. Valid values:
|
DestinationCidrIp | String | No | Yes | The destination CIDR block. | None |
Port | String | Yes | Yes | The range of destination ports. | None |
Protocol | String | Yes | Yes | The transport layer protocol. | Valid values:
|
NetworkAclEntryName | String | No | Yes | The name of the outbound rule. | None |
Response parameters
Fn::GetAtt
- NetworkAclId: the ID of the network ACL.
- NetworkAclEntryName: the name of the rule for the network ACL.
Examples
JSON
format{ "ROSTemplateFormatVersion": "2015-09-01", "Parameters": { }, "Resources": { "NetworkAcl": { "Type": "ALIYUN::VPC::NetworkAcl", "Properties": { "IngressAclEntries": [ { "Policy": "drop", "Protocol": "gre", "Port": "9001/9001" } ], "VpcId": { "Ref": "VpcId" }, "EgressAclEntries": [ { "Policy": "accept", "Protocol": "udp", "Port": "8000/8000", "DestinationCidrIp": "10.0.0.0/24", "NetworkAclEntryName": "test-egress", "EntryType": "system", "Description": "test description" } ], "NetworkAclName": "TestNetworkAcl" } } }, "Outputs": { "NetworkAclId": { "Description": "The ID of the network ACL.", "Value": { "Fn::GetAtt": [ "NetworkAcl", "NetworkAclId" ] } }, "NetworkAclEntryName": { "Description": "The name of the inbound rule.", "Value": { "Fn::GetAtt": [ "NetworkAcl", "NetworkAclEntryName" ] } } } }