AWS - boto3 - boto3.resource('ec2').NetworkACL('id')

• EC2 - client
• EC2 - NetworkAcl
  • Actions
    • create_entry(kwargs_) and delete_entry(kwargs_)
    • create_tags(kwargs_)
    • get_available_subresources()
    • load() and reload()
    • replace_association(kwargs_)

---

EC2 - client

Table of Contents

• EC2
  1. Client
  2. Paginators
  3. Waiters
  4. Service Resource
  5. ClassicAddress
  6. DhcpOptions
  7. Image
  8. Instance
  9. InternetGateway
  10. KeyPair
  11. KeyPairInfo
  12. NetworkAcl
  13. NetworkInterface
  14. NetworkInterfaceAssociation
  15. PlacementGroup
  16. Route
  17. RouteTable
  18. RouteTableAssociation
  19. SecurityGroup
  20. Snapshot
  21. Subnet
  22. Tag
  23. Volume
  24. Vpc
  25. VpcPeeringConnection
  26. VpcAddress

---

EC2 - NetworkAcl

class EC2.NetworkAcl(id)

A resource representing an Amazon Elastic Compute Cloud (EC2) NetworkAcl:

import boto3

ec2resource = boto3.resource('ec2')
ec2network_acl = ec2resource.NetworkAcl('id')

available identifiers:

• id _(string)_ The NetworkAcl's id identifier. This **must** be set.

available attributes:

• associations
• entries
• is_default
• network_acl_id
• owner_id
• tags
• vpc_id

available references:

• vpc

available actions:

• create_entry()
• create_tags()
• delete()
• delete_entry()
• get_available_subresources()
• load()
• reload()
• replace_association()
• replace_entry()

Actions

create_entry(kwargs_) and delete_entry(kwargs_)

1. Creates an entry (a rule) in a network ACL with the specified rule number.
   • Each network ACL has a set of numbered ingress rules and a separate set of numbered egress rules. When determining whether a packet should be allowed in or out of a subnet associated with the ACL, we process the entries in the ACL according to the rule numbers, in ascending order.
   • Each network ACL has a set of ingress rules and a separate set of egress rules.

   recommend that you leave room between the rule numbers (for example, 100, 110, 120, …), and not number them one right after the other (for example, 101, 102, 103, …). This makes it easier to add a rule between existing ones without having to renumber the rules.

2. Deletes the specified ingress or egress entry (rule) from the specified network ACL.

After you add an entry, can’t modify it;

• either replace it, or create an entry and delete the old one.

Request Syntax

import boto3

ec2network_acl = boto3.resource('ec2').NetworkAcl('id')


response = ec2network_acl.create_entry(
    CidrBlock='string',
    # (_string_) -- The IPv4 network range to allow or deny, in CIDR notation (for example 172.16.0.0/24 ).
    # modify the specified CIDR block to its canonical form;
    # for example, if you specify 100.68.0.18/18 , we modify it to 100.68.0.0/18 .
    DryRun=True|False,
    Egress=True|False,
    # (_boolean_) -- **[REQUIRED]** Indicates whether this is an egress rule (rule is applied to traffic leaving the subnet).
    IcmpTypeCode={
        # (_dict_) -- ICMP protocol: The ICMP or ICMPv6 type and code.
        # Required if specifying protocol 1 (ICMP) or protocol 58 (ICMPv6) with an IPv6 CIDR block.
        'Code': 123,
        # _(integer) -- The ICMP code. A value of -1 means all codes for the specified ICMP type.
        'Type': 123
        # _(integer) -- The ICMP type. A value of -1 means all types.
    },

    Ipv6CidrBlock='string',
    # (_string_) -- The IPv6 network range to allow or deny, in CIDR notation (for example 2001:db8:1234:1a00::/64 ).
    PortRange={
        # (_dict_) -- TCP or UDP protocols: The range of ports the rule applies to. Required if specifying protocol 6 (TCP) or 17 (UDP).
        'From': 123,
        # _(integer) -- The first port in the range.
        'To': 123
        # _(integer) -- The last port in the range.
    },
    Protocol='string',
    # (_string_) -- **[REQUIRED]** The protocol number.
    # A value of "-1" means all protocols.
    # If you specify "-1" or a protocol number other than "6" (TCP), "17" (UDP), or "1" (ICMP), traffic on all ports is allowed, regardless of any ports or ICMP types or codes that you specify.
    # If you specify protocol "58" (ICMPv6) and specify an IPv4 CIDR block, traffic for all ICMP types and codes allowed, regardless of any that you specify. If you specify protocol "58" (ICMPv6) and specify an IPv6 CIDR block, you must specify an ICMP type and code.
    RuleAction='allow'|'deny',
    RuleNumber=123
    # (_integer_) -- **[REQUIRED]** The rule number for the entry (for example, 100). ACL entries are processed in ascending order by rule number.
    # Constraints: Positive integer from 1 to 32766. The range 32767 to 65535 is reserved for internal use.
)





response = ec2network_acl.delete_entry(
    DryRun=True|False,
    Egress=True|False,
    # (_boolean_) -- **[REQUIRED]** Indicates whether the rule is an egress rule.
    RuleNumber=123
    # (_integer_) -- **[REQUIRED]** The rule number of the entry to delete.
)



response = ec2network_acl.replace_entry(
    CidrBlock='string',
    DryRun=True|False,
    Egress=True|False,
    IcmpTypeCode={
        'Code': 123,
        'Type': 123
    },
    Ipv6CidrBlock='string',
    PortRange={
        'From': 123,
        'To': 123
    },
    Protocol='string',
    RuleAction='allow'|'deny',
    RuleNumber=123
)

Returns: None

---

create_tags(kwargs_)

• Adds or overwrites only the specified tags for the specified Amazon EC2 resource or resources.
• When you specify an existing tag key, the value is overwritten with the new value.
• Each resource can have a maximum of 50 tags.
• Each tag consists of a key and optional value.
• Tag keys must be unique per resource.

For more information about tags, see Tagging Your Resources in the Amazon Elastic Compute Cloud User Guide . For more information about creating IAM policies that control users’ access to resources based on tags, see Supported Resource-Level Permissions for Amazon EC2 API Actions in the Amazon Elastic Compute Cloud User Guide .

Request Syntax

tag = ec2network_acl.create_tags(
    DryRun=True|False,
    Tags=[
        {
            'Key': 'string',
            'Value': 'string'
        },
    ]
)

Return:

• Return type: list(ec2.Tag)
• A list of Tag resources

---

get_available_subresources()

Returns a list of all the available sub-resources for this Resource.

Returns

• Return type: list of str
• A list containing the name of each sub-resource for this resource

---

load() and reload()

• Calls EC2.Client.describe_network_acls() to update the attributes of the NetworkAcl resource.
• Note that the load() and reload() methods are the same method and can be used interchangeably.

Request Syntax

ec2network_acl = boto3.resource('ec2').NetworkAcl('id')

ec2network_acl.load()
ec2network_acl.reload()

Returns: None

---

replace_association(kwargs_)

• Changes which network ACL a subnet is associated with.
• By default when you create a subnet, it’s automatically associated with the default network ACL.
• This is an idempotent operation.

Request Syntax

response = ec2network_acl.replace_association(
    AssociationId='string',
    # (_string_) -- **[REQUIRED]** The ID of the current association between the original network ACL and the subnet.
    DryRun=True|False,
)

Return:

• Return type: dict
• Response Syntax

{
    'NewAssociationId': 'string'
    # _(string) -- The ID of the new association.
}

replace_entry(kwargs_)

Replaces an entry (rule) in a network ACL. For more information, see Network ACLs in the Amazon Virtual Private Cloud User Guide .

Request Syntax

response = ec2network_acl.replace_entry(
    CidrBlock='string',
    DryRun=True|False,
    Egress=True|False,
    IcmpTypeCode={
        'Code': 123,
        'Type': 123
    },
    Ipv6CidrBlock='string',
    PortRange={
        'From': 123,
        'To': 123
    },
    Protocol='string',
    RuleAction='allow'|'deny',
    RuleNumber=123
)