Network ACL

A network access control list (NACL) is an optional layer of security to security groups at the subnet level within your VPC that acts as a firewall for controlling inbound and outbound traffic.

Terraform Name

aws_network_acl

Network ACL

attributes:

vpc_id - (Required) The ID of the associated VPC.
subnet_ids - (Optional) A list of Subnet IDs to apply the ACL to
ingress - (Optional) Specifies an ingress rule. Parameters defined below. This argument is processed in attribute-as-blocks mode.
egress - (Optional) Specifies an egress rule. Parameters defined below. This argument is processed in attribute-as-blocks mode.
tags - (Optional) A map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

egress and ingress

Both arguments are processed in attribute-as-blocks mode.

Both egress and ingress support the following keys:

from_port - (Required) The from port to match.
to_port - (Required) The to port to match.
rule_no - (Required) The rule number. Used for ordering.
action - (Required) The action to take.
protocol - (Required) The protocol to match. If using the -1 'all' protocol, you must specify a from and to port of 0.
cidr_block - (Optional) The CIDR block to match. This must be a valid network mask.
ipv6_cidr_block - (Optional) The IPv6 CIDR block.
icmp_type - (Optional) The ICMP type to be used. Default 0.
icmp_code - (Optional) The ICMP type code to be used. Default 0.

‍

Associating resources with a

Network ACL

Resources do not "belong" to a

Network ACL

Rather, one or more Security Groups are associated to a resource.

Create

Network ACL

via Terraform:

The following HCL creates a network ACL for the specified VPC

Syntax:

resource "aws_network_acl" "main" {
vpc_id = aws_vpc.main.id

egress {
protocol = "tcp"
rule_no = 200
action = "allow"
cidr_block = "10.3.0.0/18"
from_port = 443
to_port = 443
}

ingress {
protocol = "tcp"
rule_no = 100
action = "allow"
cidr_block = "10.3.0.0/18"
from_port = 80
to_port = 80
}

tags = {
Name = "main"
}
}

Create

Network ACL

via CLI:

Parametres:

create-network-acl
[--dry-run | --no-dry-run]
--vpc-id <value>
[--tag-specifications <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--debug]
[--endpoint-url <value>]
[--no-verify-ssl]
[--no-paginate]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--no-sign-request]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
[--cli-binary-format <value>]
[--no-cli-pager]
[--cli-auto-prompt]
[--no-cli-auto-prompt]

Example:

aws ec2 create-network-acl --vpc-id vpc-a01106c2

Costs

The cost of using network access control lists (ACL) is based on the number of rules and the amount of traffic processed by the network ACL. There is no additional cost for using network ACLs in Amazon VPC, as they are included in the overall cost of using Amazon VPC.

Network ACL

Terraform Name

egress and ingress

Costs

Indirect Cost