Amazon Web Service (AWS)

Network ACL

A network access control list (NACL) is an optional layer of security to security groups at the subnet level within your VPC that acts as a firewall for controlling inbound and outbound traffic.
Network ACL
  • vpc_id - (Required) The ID of the associated VPC.
  • subnet_ids - (Optional) A list of Subnet IDs to apply the ACL to
  • ingress - (Optional) Specifies an ingress rule. Parameters defined below. This argument is processed in attribute-as-blocks mode.
  • egress - (Optional) Specifies an egress rule. Parameters defined below. This argument is processed in attribute-as-blocks mode.
  • tags - (Optional) A map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

egress and ingress

Both arguments are processed in attribute-as-blocks mode.

Both egress and ingress support the following keys:

  • from_port - (Required) The from port to match.
  • to_port - (Required) The to port to match.
  • rule_no - (Required) The rule number. Used for ordering.
  • action - (Required) The action to take.
  • protocol - (Required) The protocol to match. If using the -1 'all' protocol, you must specify a from and to port of 0.
  • cidr_block - (Optional) The CIDR block to match. This must be a valid network mask.
  • ipv6_cidr_block - (Optional) The IPv6 CIDR block.
  • icmp_type - (Optional) The ICMP type to be used. Default 0.
  • icmp_code - (Optional) The ICMP type code to be used. Default 0.

Associating resources with a
Network ACL
Resources do not "belong" to a
Network ACL
Rather, one or more Security Groups are associated to a resource.
Network ACL
via Terraform:
The following HCL creates a network ACL for the specified VPC

resource "aws_network_acl" "main" {
 vpc_id =

 egress {
   protocol   = "tcp"
   rule_no    = 200
   action     = "allow"
   cidr_block = ""
   from_port  = 443
   to_port    = 443

 ingress {
   protocol   = "tcp"
   rule_no    = 100
   action     = "allow"
   cidr_block = ""
   from_port  = 80
   to_port    = 80

 tags = {
   Name = "main"

Network ACL
via CLI:

[--dry-run | --no-dry-run]
--vpc-id <value>
[--tag-specifications <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--endpoint-url <value>]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
[--cli-binary-format <value>]


aws ec2 create-network-acl --vpc-id vpc-a01106c2

Best Practices for
Network ACL

Categorized by Availability, Security & Compliance and Cost

Security Group (SG) changes alarm
Explore all the rules our platform covers
All Resources