ALIYUN::VPC::NetworkAcl is used to create a network access control list (ACL).

Syntax

{
  "Type": "ALIYUN::VPC::NetworkAcl",
  "Properties": {
    "NetworkAclName": String,
    "Description": String,
    "VpcId": String,
    "EgressAclEntries": List,
    "IngressAclEntries": List
  }
}

Properties

PropertyTypeRequiredEditableDescriptionConstraint
NetworkAclNameStringNoYesThe name of the network ACL. The name must be 2 to 128 characters in length and can contain letters, digits, underscores (_), and hyphens (-). It must start with a letter and cannot start with http:// or https://.
DescriptionStringNoYesThe description of the network ACL. The description must be 2 to 256 characters in length. It must start with a letter and cannot start with http:// or https://.
VpcIdStringYesNoThe ID of the Virtual Private Cloud (VPC) to which you want to apply the network ACL. You cannot create a network ACL for a VPC that contains instances of the following instance families: ecs.c1, ecs.c2, ecs.c4, ecs.c5, ecs.ce4, ecs.cm4, ecs.d1, ecs.e3, ecs.e4, ecs.ga1, ecs.gn4, ecs.gn5, ecs.i1, ecs.m1, ecs.m2, ecs.mn4, ecs.n1, ecs.n2, ecs.n4, ecs.s1, ecs.s2, ecs.s3, ecs.se1, ecs.sn1, ecs.sn2, ecs.t1, and ecs.xn4.

To create a network ACL for such a VPC, you must upgrade the instance types first. For more information, see Change the instance type of a pay-as-you-go instance and Upgrade the instance types of subscription instances.

Note If your VPC contains instances of the preceding instance families and you have created a network ACL, you must upgrade the instance types to ensure that the network ACL can take effect.
IngressAclEntriesListNoYesThe inbound rules of the network ACL. A maximum of 20 rules can be specified.

For more information, see IngressAclEntries properties.

EgressAclEntriesListNoYesThe outbound rules of the network ACL A maximum of 20 rules can be specified.

For more information, see EgressAclEntries properties.

IngressAclEntries syntax

"IngressAclEntries": [
  {
    "Policy": String,
    "Description": String,
    "EntryType": String,
    "SourceCidrIp": String,
    "Port": String,
    "Protocol": String,
    "NetworkAclEntryName": String
  }
]

IngressAclEntries properties

PropertyTypeRequiredEditableDescriptionConstraint
PolicyStringYesYesThe authorization policy. Valid values:
  • accept: Access is allowed.
  • drop: Access is denied.
DescriptionStringNoYesThe description of the inbound rule. The description must be 2 to 256 characters in length. It must start with a letter and cannot start with http:// or https://.
EntryTypeStringNoYesThe type of the rule. Default value: custom. Valid values:
  • custom: custom rules
  • system: system rules
SourceCidrIpStringNoYesThe source CIDR block. None
PortStringYesYesThe range of source ports. None
ProtocolStringYesYesThe transport layer protocol. Valid values:
  • icmp
  • gre
  • tcp
  • udp
  • all
NetworkAclEntryNameStringNoYesThe name of the inbound rule. None

EgressAclEntries syntax

"EgressAclEntries": [
  {
    "Policy": String,
    "Description": String,
    "EntryType": String,
    "DestinationCidrIp": String,
    "Port": String,
    "Protocol": String,
    "NetworkAclEntryName": String
  }
]

EgressAclEntries properties

PropertyTypeRequiredEditableDescriptionConstraint
PolicyStringYesYesThe authorization policy. Valid values:
  • accept: Access is allowed.
  • drop: Access is denied.
DescriptionStringNoYesThe description of the outbound rule. The description must be 2 to 256 characters in length. It must start with a letter and cannot start with http:// or https://.
EntryTypeStringNoYesThe type of the rule. Default value: custom. Valid values:
  • custom: custom rules
  • system: system rules
DestinationCidrIpStringNoYesThe destination CIDR block. None
PortStringYesYesThe range of destination ports. None
ProtocolStringYesYesThe transport layer protocol. Valid values:
  • icmp
  • gre
  • tcp
  • udp
  • all
NetworkAclEntryNameStringNoYesThe name of the outbound rule. None

Response parameters

Fn::GetAtt

  • NetworkAclId: the ID of the network ACL.
  • NetworkAclEntryName: the name of the rule for the network ACL.

Examples

  • YAMLformat

    ROSTemplateFormatVersion: '2015-09-01'
    Parameters: {}
    Resources:
      NetworkAcl:
        Type: ALIYUN::VPC::NetworkAcl
        Properties:
          IngressAclEntries:
            - Policy: drop
              Protocol: gre
              Port: 9001/9001
          VpcId:
            Ref: VpcId
          EgressAclEntries:
            - Policy: accept
              Protocol: udp
              Port: 8000/8000
              DestinationCidrIp: 10.0.0.0/24
              NetworkAclEntryName: test-egress
              EntryType: system
              Description: test description
          NetworkAclName: TestNetworkAcl
    Outputs:
      NetworkAclId:
        Description: The ID of the network ACL.
        Value:
          Fn::GetAtt:
            - NetworkAcl
            - NetworkAclId
      NetworkAclEntryName:
        Description: The name of the inbound rule.
        Value:
          Fn::GetAtt:
            - NetworkAcl
            - NetworkAclEntryName
  • JSONformat

    {
      "ROSTemplateFormatVersion": "2015-09-01",
      "Parameters": {
      },
      "Resources": {
        "NetworkAcl": {
          "Type": "ALIYUN::VPC::NetworkAcl",
          "Properties": {
            "IngressAclEntries": [
              {
                "Policy": "drop",
                "Protocol": "gre",
                "Port": "9001/9001"
              }
            ],
            "VpcId": {
              "Ref": "VpcId"
            },
            "EgressAclEntries": [
              {
                "Policy": "accept",
                "Protocol": "udp",
                "Port": "8000/8000",
                "DestinationCidrIp": "10.0.0.0/24",
                "NetworkAclEntryName": "test-egress",
                "EntryType": "system",
                "Description": "test description"
              }
            ],
            "NetworkAclName": "TestNetworkAcl"
          }
        }
      },
      "Outputs": {
        "NetworkAclId": {
          "Description": "The ID of the network ACL.",
          "Value": {
            "Fn::GetAtt": [
              "NetworkAcl",
              "NetworkAclId"
            ]
          }
        },
        "NetworkAclEntryName": {
          "Description": "The name of the inbound rule.",
          "Value": {
            "Fn::GetAtt": [
              "NetworkAcl",
              "NetworkAclEntryName"
            ]
          }
        }
      }
    }