EC2 / Client / create_network_acl
create_network_acl#
- EC2.Client.create_network_acl(**kwargs)#
- Creates a network ACL in a VPC. Network ACLs provide an optional layer of security (in addition to security groups) for the instances in your VPC. - For more information, see Network ACLs in the Amazon VPC User Guide. - See also: AWS API Documentation - Request Syntax- response = client.create_network_acl( TagSpecifications=[ { 'ResourceType': 'capacity-reservation'|'client-vpn-endpoint'|'customer-gateway'|'carrier-gateway'|'coip-pool'|'dedicated-host'|'dhcp-options'|'egress-only-internet-gateway'|'elastic-ip'|'elastic-gpu'|'export-image-task'|'export-instance-task'|'fleet'|'fpga-image'|'host-reservation'|'image'|'import-image-task'|'import-snapshot-task'|'instance'|'instance-event-window'|'internet-gateway'|'ipam'|'ipam-pool'|'ipam-scope'|'ipv4pool-ec2'|'ipv6pool-ec2'|'key-pair'|'launch-template'|'local-gateway'|'local-gateway-route-table'|'local-gateway-virtual-interface'|'local-gateway-virtual-interface-group'|'local-gateway-route-table-vpc-association'|'local-gateway-route-table-virtual-interface-group-association'|'natgateway'|'network-acl'|'network-interface'|'network-insights-analysis'|'network-insights-path'|'network-insights-access-scope'|'network-insights-access-scope-analysis'|'placement-group'|'prefix-list'|'replace-root-volume-task'|'reserved-instances'|'route-table'|'security-group'|'security-group-rule'|'snapshot'|'spot-fleet-request'|'spot-instances-request'|'subnet'|'subnet-cidr-reservation'|'traffic-mirror-filter'|'traffic-mirror-session'|'traffic-mirror-target'|'transit-gateway'|'transit-gateway-attachment'|'transit-gateway-connect-peer'|'transit-gateway-multicast-domain'|'transit-gateway-policy-table'|'transit-gateway-route-table'|'transit-gateway-route-table-announcement'|'volume'|'vpc'|'vpc-endpoint'|'vpc-endpoint-connection'|'vpc-endpoint-service'|'vpc-endpoint-service-permission'|'vpc-peering-connection'|'vpn-connection'|'vpn-gateway'|'vpc-flow-log'|'capacity-reservation-fleet'|'traffic-mirror-filter-rule'|'vpc-endpoint-connection-device-type'|'verified-access-instance'|'verified-access-group'|'verified-access-endpoint'|'verified-access-policy'|'verified-access-trust-provider'|'vpn-connection-device-type'|'vpc-block-public-access-exclusion'|'ipam-resource-discovery'|'ipam-resource-discovery-association'|'instance-connect-endpoint'|'ipam-external-resource-verification-token', 'Tags': [ { 'Key': 'string', 'Value': 'string' }, ] }, ], ClientToken='string', DryRun=True|False, VpcId='string' ) - Parameters:
- TagSpecifications (list) – - The tags to assign to the network ACL. - (dict) – - The tags to apply to a resource when the resource is being created. When you specify a tag, you must specify the resource type to tag, otherwise the request will fail. - Note- The - Valid Valueslists all the resource types that can be tagged. However, the action you’re using might not support tagging all of these resource types. If you try to tag a resource type that is unsupported for the action you’re using, you’ll get an error.- ResourceType (string) – - The type of resource to tag on creation. 
- Tags (list) – - The tags to apply to the resource. - (dict) – - Describes a tag. - Key (string) – - The key of the tag. - Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with - aws:.
- Value (string) – - The value of the tag. - Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters. 
 
 
 
 
- ClientToken (string) – - Unique, case-sensitive identifier that you provide to ensure the idempotency of the request. For more information, see Ensuring idempotency. - This field is autopopulated if not provided. 
- DryRun (boolean) – Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is - DryRunOperation. Otherwise, it is- UnauthorizedOperation.
- VpcId (string) – - [REQUIRED] - The ID of the VPC. 
 
- Return type:
- dict 
- Returns:
- Response Syntax- { 'NetworkAcl': { 'Associations': [ { 'NetworkAclAssociationId': 'string', 'NetworkAclId': 'string', 'SubnetId': 'string' }, ], 'Entries': [ { 'CidrBlock': 'string', 'Egress': True|False, 'IcmpTypeCode': { 'Code': 123, 'Type': 123 }, 'Ipv6CidrBlock': 'string', 'PortRange': { 'From': 123, 'To': 123 }, 'Protocol': 'string', 'RuleAction': 'allow'|'deny', 'RuleNumber': 123 }, ], 'IsDefault': True|False, 'NetworkAclId': 'string', 'Tags': [ { 'Key': 'string', 'Value': 'string' }, ], 'VpcId': 'string', 'OwnerId': 'string' }, 'ClientToken': 'string' } - Response Structure- (dict) – - NetworkAcl (dict) – - Information about the network ACL. - Associations (list) – - Any associations between the network ACL and your subnets - (dict) – - Describes an association between a network ACL and a subnet. - NetworkAclAssociationId (string) – - The ID of the association between a network ACL and a subnet. 
- NetworkAclId (string) – - The ID of the network ACL. 
- SubnetId (string) – - The ID of the subnet. 
 
 
- Entries (list) – - The entries (rules) in the network ACL. - (dict) – - Describes an entry in a network ACL. - CidrBlock (string) – - The IPv4 network range to allow or deny, in CIDR notation. 
- Egress (boolean) – - Indicates whether the rule is an egress rule (applied to traffic leaving the subnet). 
- IcmpTypeCode (dict) – - ICMP protocol: The ICMP type and code. - Code (integer) – - The ICMP code. A value of -1 means all codes for the specified ICMP type. 
- Type (integer) – - The ICMP type. A value of -1 means all types. 
 
- Ipv6CidrBlock (string) – - The IPv6 network range to allow or deny, in CIDR notation. 
- PortRange (dict) – - TCP or UDP protocols: The range of ports the rule applies to. - From (integer) – - The first port in the range. 
- To (integer) – - The last port in the range. 
 
- Protocol (string) – - The protocol number. A value of “-1” means all protocols. 
- RuleAction (string) – - Indicates whether to allow or deny the traffic that matches the rule. 
- RuleNumber (integer) – - The rule number for the entry. ACL entries are processed in ascending order by rule number. 
 
 
- IsDefault (boolean) – - Indicates whether this is the default network ACL for the VPC. 
- NetworkAclId (string) – - The ID of the network ACL. 
- Tags (list) – - Any tags assigned to the network ACL. - (dict) – - Describes a tag. - Key (string) – - The key of the tag. - Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with - aws:.
- Value (string) – - The value of the tag. - Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters. 
 
 
- VpcId (string) – - The ID of the VPC for the network ACL. 
- OwnerId (string) – - The ID of the Amazon Web Services account that owns the network ACL. 
 
- ClientToken (string) – - Unique, case-sensitive identifier to ensure the idempotency of the request. Only returned if a client token was provided in the request. 
 
 
 - Examples- This example creates a network ACL for the specified VPC. - response = client.create_network_acl( VpcId='vpc-a01106c2', ) print(response) - Expected Output: - { 'NetworkAcl': { 'Associations': [ ], 'Entries': [ { 'CidrBlock': '0.0.0.0/0', 'Egress': True, 'Protocol': '-1', 'RuleAction': 'deny', 'RuleNumber': 32767, }, { 'CidrBlock': '0.0.0.0/0', 'Egress': False, 'Protocol': '-1', 'RuleAction': 'deny', 'RuleNumber': 32767, }, ], 'IsDefault': False, 'NetworkAclId': 'acl-5fb85d36', 'Tags': [ ], 'VpcId': 'vpc-a01106c2', }, 'ResponseMetadata': { '...': '...', }, }