EC2 / Client / create_vpc_block_public_access_exclusion

create_vpc_block_public_access_exclusion#

EC2.Client.create_vpc_block_public_access_exclusion(**kwargs)#

Create a VPC Block Public Access (BPA) exclusion. A VPC BPA exclusion is a mode that can be applied to a single VPC or subnet that exempts it from the account’s BPA mode and will allow bidirectional or egress-only access. You can create BPA exclusions for VPCs and subnets even when BPA is not enabled on the account to ensure that there is no traffic disruption to the exclusions when VPC BPA is turned on. To learn more about VPC BPA, see Block public access to VPCs and subnets in the Amazon VPC User Guide.

See also: AWS API Documentation

Request Syntax

response = client.create_vpc_block_public_access_exclusion(
    DryRun=True|False,
    SubnetId='string',
    VpcId='string',
    InternetGatewayExclusionMode='allow-bidirectional'|'allow-egress',
    TagSpecifications=[
        {
            'ResourceType': 'capacity-reservation'|'client-vpn-endpoint'|'customer-gateway'|'carrier-gateway'|'coip-pool'|'dedicated-host'|'dhcp-options'|'egress-only-internet-gateway'|'elastic-ip'|'elastic-gpu'|'export-image-task'|'export-instance-task'|'fleet'|'fpga-image'|'host-reservation'|'image'|'import-image-task'|'import-snapshot-task'|'instance'|'instance-event-window'|'internet-gateway'|'ipam'|'ipam-pool'|'ipam-scope'|'ipv4pool-ec2'|'ipv6pool-ec2'|'key-pair'|'launch-template'|'local-gateway'|'local-gateway-route-table'|'local-gateway-virtual-interface'|'local-gateway-virtual-interface-group'|'local-gateway-route-table-vpc-association'|'local-gateway-route-table-virtual-interface-group-association'|'natgateway'|'network-acl'|'network-interface'|'network-insights-analysis'|'network-insights-path'|'network-insights-access-scope'|'network-insights-access-scope-analysis'|'placement-group'|'prefix-list'|'replace-root-volume-task'|'reserved-instances'|'route-table'|'security-group'|'security-group-rule'|'snapshot'|'spot-fleet-request'|'spot-instances-request'|'subnet'|'subnet-cidr-reservation'|'traffic-mirror-filter'|'traffic-mirror-session'|'traffic-mirror-target'|'transit-gateway'|'transit-gateway-attachment'|'transit-gateway-connect-peer'|'transit-gateway-multicast-domain'|'transit-gateway-policy-table'|'transit-gateway-route-table'|'transit-gateway-route-table-announcement'|'volume'|'vpc'|'vpc-endpoint'|'vpc-endpoint-connection'|'vpc-endpoint-service'|'vpc-endpoint-service-permission'|'vpc-peering-connection'|'vpn-connection'|'vpn-gateway'|'vpc-flow-log'|'capacity-reservation-fleet'|'traffic-mirror-filter-rule'|'vpc-endpoint-connection-device-type'|'verified-access-instance'|'verified-access-group'|'verified-access-endpoint'|'verified-access-policy'|'verified-access-trust-provider'|'vpn-connection-device-type'|'vpc-block-public-access-exclusion'|'ipam-resource-discovery'|'ipam-resource-discovery-association'|'instance-connect-endpoint'|'ipam-external-resource-verification-token',
            'Tags': [
                {
                    'Key': 'string',
                    'Value': 'string'
                },
            ]
        },
    ]
)
Parameters:

  • DryRun (boolean) – Checks whether you have the required permissions for the action, without actually making the request, and provides an error response. If you have the required permissions, the error response is DryRunOperation. Otherwise, it is UnauthorizedOperation.

  • SubnetId (string) – A subnet ID.

  • VpcId (string) – A VPC ID.

  • InternetGatewayExclusionMode (string) –

    [REQUIRED]

    The exclusion mode for internet gateway traffic.

    • bidirectional-access-allowed: Allow all internet traffic to and from the excluded VPCs and subnets.

    • egress-access-allowed: Allow outbound internet traffic from the excluded VPCs and subnets. Block inbound internet traffic to the excluded VPCs and subnets. Only applies when VPC Block Public Access is set to Bidirectional.

  • TagSpecifications (list) –

    tag - The key/value combination of a tag assigned to the resource. Use the tag key in the filter name and the tag value as the filter value. For example, to find all resources that have a tag with the key Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.

    • (dict) –

      The tags to apply to a resource when the resource is being created. When you specify a tag, you must specify the resource type to tag, otherwise the request will fail.

      Note

      The Valid Values lists all the resource types that can be tagged. However, the action you’re using might not support tagging all of these resource types. If you try to tag a resource type that is unsupported for the action you’re using, you’ll get an error.

      • ResourceType (string) –

        The type of resource to tag on creation.

      • Tags (list) –

        The tags to apply to the resource.

        • (dict) –

          Describes a tag.

          • Key (string) –

            The key of the tag.

            Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.

          • Value (string) –

            The value of the tag.

            Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.

Return type:

dict

Returns:

Response Syntax

{
    'VpcBlockPublicAccessExclusion': {
        'ExclusionId': 'string',
        'InternetGatewayExclusionMode': 'allow-bidirectional'|'allow-egress',
        'ResourceArn': 'string',
        'State': 'create-in-progress'|'create-complete'|'create-failed'|'update-in-progress'|'update-complete'|'update-failed'|'delete-in-progress'|'delete-complete'|'disable-in-progress'|'disable-complete',
        'Reason': 'string',
        'CreationTimestamp': datetime(2015, 1, 1),
        'LastUpdateTimestamp': datetime(2015, 1, 1),
        'DeletionTimestamp': datetime(2015, 1, 1),
        'Tags': [
            {
                'Key': 'string',
                'Value': 'string'
            },
        ]
    }
}

Response Structure

  • (dict) –

    • VpcBlockPublicAccessExclusion (dict) –

      Details about an exclusion.

      • ExclusionId (string) –

        The ID of the exclusion.

      • InternetGatewayExclusionMode (string) –

        The exclusion mode for internet gateway traffic.

        • bidirectional-access-allowed: Allow all internet traffic to and from the excluded VPCs and subnets.

        • egress-access-allowed: Allow outbound internet traffic from the excluded VPCs and subnets. Block inbound internet traffic to the excluded VPCs and subnets. Only applies when VPC Block Public Access is set to Bidirectional.

      • ResourceArn (string) –

        The ARN of the exclusion.

      • State (string) –

        The state of the exclusion.

      • Reason (string) –

        The reason for the current exclusion state.

      • CreationTimestamp (datetime) –

        When the exclusion was created.

      • LastUpdateTimestamp (datetime) –

        When the exclusion was last updated.

      • DeletionTimestamp (datetime) –

        When the exclusion was deleted.

      • Tags (list) –

        tag - The key/value combination of a tag assigned to the resource. Use the tag key in the filter name and the tag value as the filter value. For example, to find all resources that have a tag with the key Owner and the value TeamA, specify tag:Owner for the filter name and TeamA for the filter value.

        • (dict) –

          Describes a tag.

          • Key (string) –

            The key of the tag.

            Constraints: Tag keys are case-sensitive and accept a maximum of 127 Unicode characters. May not begin with aws:.

          • Value (string) –

            The value of the tag.

            Constraints: Tag values are case-sensitive and accept a maximum of 256 Unicode characters.