The ALIYUN::VPC::NetworkAcl resource creates a network access control list (ACL).
Syntax
{
"Type": "ALIYUN::VPC::NetworkAcl",
"Properties": {
"NetworkAclName": String,
"Description": String,
"VpcId": String,
"EgressAclEntries": List,
"IngressAclEntries": List
}
}Properties
| Property Name | Type | Required | Update allowed | Description | Constraints |
| NetworkAclName | String | No | Yes | The name of the network ACL. | The name must be 2 to 128 characters in length. It must start with a letter and cannot start with http:// or https://. It can contain letters, digits, underscores (_), and hyphens (-). |
| Description | String | No | Yes | The description of the network ACL. | The value must be 2 to 256 characters long, start with an English letter or a Chinese character, and not start with http:// or https://. |
| VpcId | String | Yes | No | The ID of the VPC to which the network ACL belongs. | A network ACL cannot be created for a VPC that contains instances of the following instance families: ecs.c1, ecs.c2, ecs.c4, ecs.c5, ecs.ce4, ecs.cm4, ecs.d1, ecs.e3, ecs.e4, ecs.ga1, ecs.gn4, ecs.gn5, ecs.i1, ecs.m1, ecs.m2, ecs.mn4, ecs.n1, ecs.n2, ecs.n4, ecs.s1, ecs.s2, ecs.s3, ecs.se1, ecs.sn1, ecs.sn2, ecs.t1, and ecs.xn4. To create a network ACL, upgrade the instance types first. For more information, see Upgrade subscription instances and Change the instance type of a pay-as-you-go instance. Note If your VPC contains an instance of a restricted instance family and you have already created a network ACL, upgrade the instance type to ensure that the network ACL functions as expected. |
| IngressAclEntries | List | No | Yes | The inbound network ACL rules. | A maximum of 20 rules are supported. For more information, see IngressAclEntries properties. |
| EgressAclEntries | List | No | Yes | The outbound network ACL rules. | A maximum of 20 rules are supported. For more information, see EgressAclEntries properties. |
IngressAclEntries syntax
"IngressAclEntries": [
{
"Policy": String,
"Description": String,
"EntryType": String,
"SourceCidrIp": String,
"Port": String,
"Protocol": String,
"NetworkAclEntryName": String
}
]IngressAclEntries properties
| Property Name | Type | Required | Update allowed | Description | Constraints |
| Policy | String | Yes | Yes | The authorization policy. | Valid values:
|
| Description | String | No | Yes | The description of the inbound rule. | The description must be 2 to 256 characters in length. It must start with a letter and cannot start with http:// or https://. |
| EntryType | String | No | Yes | The rule type. | Valid values:
|
| SourceCidrIp | String | No | Yes | The source CIDR block. | None |
| Port | String | Yes | Yes | The source port range. | None |
| Protocol | String | Yes | Yes | The transport-layer protocol. | Valid values:
|
| NetworkAclEntryName | String | No | Yes | The name of the inbound rule. | None |
EgressAclEntries syntax
"EgressAclEntries": [
{
"Policy": String,
"Description": String,
"EntryType": String,
"DestinationCidrIp": String,
"Port": String,
"Protocol": String,
"NetworkAclEntryName": String
}
]EgressAclEntries properties
| Property | Type | Required | Update allowed | Description | Constraints |
| Policy | String | Yes | Yes | The authorization policy. | Valid values:
|
| Description | String | No | Yes | The description of the outbound rule. | The description must be 2 to 256 characters in length. It must start with a letter and cannot start with http:// or https://. |
| EntryType | String | No | Yes | The rule type. | Valid values:
|
| DestinationCidrIp | String | No | Yes | The destination CIDR block. | None |
| Port | String | Yes | Yes | The destination port range. | None |
| Protocol | String | Yes | Yes | The transport-layer protocol. | Valid values:
|
| NetworkAclEntryName | String | No | Yes | The name of the outbound rule. | None |
Return values
Fn::GetAtt
- NetworkAclId: The ID of the network ACL.
- NetworkAclEntryName: The name of the network ACL rule.
Examples
JSONformat{ "ROSTemplateFormatVersion": "2015-09-01", "Parameters": { }, "Resources": { "NetworkAcl": { "Type": "ALIYUN::VPC::NetworkAcl", "Properties": { "IngressAclEntries": [ { "Policy": "drop", "Protocol": "gre", "Port": "9001/9001" } ], "VpcId": { "Ref": "VpcId" }, "EgressAclEntries": [ { "Policy": "accept", "Protocol": "udp", "Port": "8000/8000", "DestinationCidrIp": "10.0.0.0/24", "NetworkAclEntryName": "test-egress", "EntryType": "system", "Description": "test description" } ], "NetworkAclName": "TestNetworkAcl" } } }, "Outputs": { "NetworkAclId": { "Description": "The ID of the network ACL.", "Value": { "Fn::GetAtt": [ "NetworkAcl", "NetworkAclId" ] } }, "NetworkAclEntryName": { "Description": "The name of the inbound rule.", "Value": { "Fn::GetAtt": [ "NetworkAcl", "NetworkAclEntryName" ] } } } }
该文章对您有帮助吗?