Amazon Web Service (AWS)

Network ACL

Security

A network access control list (NACL) is an optional layer of security to security groups at the subnet level within your VPC that acts as a firewall for controlling inbound and outbound traffic.

Costs

The cost of using network access control lists (ACL) is based on the number of rules and the amount of traffic processed by the network ACL. There is no additional cost for using network ACLs in Amazon VPC, as they are included in the overall cost of using Amazon VPC.

Direct Cost

Indirect Cost

No items found.

Terraform Name

aws_network_acl

Network ACL

attributes:

vpc_id - (Required) The ID of the associated VPC.
subnet_ids - (Optional) A list of Subnet IDs to apply the ACL to
ingress - (Optional) Specifies an ingress rule. Parameters defined below. This argument is processed in attribute-as-blocks mode.
egress - (Optional) Specifies an egress rule. Parameters defined below. This argument is processed in attribute-as-blocks mode.
tags - (Optional) A map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

egress and ingress

Both arguments are processed in attribute-as-blocks mode.

Both egress and ingress support the following keys:

from_port - (Required) The from port to match.
to_port - (Required) The to port to match.
rule_no - (Required) The rule number. Used for ordering.
action - (Required) The action to take.
protocol - (Required) The protocol to match. If using the -1 'all' protocol, you must specify a from and to port of 0.
cidr_block - (Optional) The CIDR block to match. This must be a valid network mask.
ipv6_cidr_block - (Optional) The IPv6 CIDR block.
icmp_type - (Optional) The ICMP type to be used. Default 0.
icmp_code - (Optional) The ICMP type code to be used. Default 0.

‍

Associating resources with a

Network ACL

Resources do not "belong" to a

Network ACL

Rather, one or more Security Groups are associated to a resource.

Create

Network ACL

via Terraform:

The following HCL creates a network ACL for the specified VPC

Syntax:

resource "aws_network_acl" "main" {
vpc_id = aws_vpc.main.id

egress {
protocol = "tcp"
rule_no = 200
action = "allow"
cidr_block = "10.3.0.0/18"
from_port = 443
to_port = 443
}

ingress {
protocol = "tcp"
rule_no = 100
action = "allow"
cidr_block = "10.3.0.0/18"
from_port = 80
to_port = 80
}

tags = {
Name = "main"
}
}

Create

Network ACL

via CLI:

Parametres:

create-network-acl
[--dry-run | --no-dry-run]
--vpc-id <value>
[--tag-specifications <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--debug]
[--endpoint-url <value>]
[--no-verify-ssl]
[--no-paginate]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--no-sign-request]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
[--cli-binary-format <value>]
[--no-cli-pager]
[--cli-auto-prompt]
[--no-cli-auto-prompt]