Detect, troubleshoot & optimize AWS environments in real-time ->

Amazon Web Service (AWS)

Network ACL

A network access control list (NACL) is an optional layer of security to security groups at the subnet level within your VPC that acts as a firewall for controlling inbound and outbound traffic.
The cost of using network access control lists (ACL) is based on the number of rules and the amount of traffic processed by the network ACL. There is no additional cost for using network ACLs in Amazon VPC, as they are included in the overall cost of using Amazon VPC.
Direct Cost


Indirect Cost
No items found.
Terraform Name
Network ACL
  • vpc_id - (Required) The ID of the associated VPC.
  • subnet_ids - (Optional) A list of Subnet IDs to apply the ACL to
  • ingress - (Optional) Specifies an ingress rule. Parameters defined below. This argument is processed in attribute-as-blocks mode.
  • egress - (Optional) Specifies an egress rule. Parameters defined below. This argument is processed in attribute-as-blocks mode.
  • tags - (Optional) A map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

egress and ingress

Both arguments are processed in attribute-as-blocks mode.

Both egress and ingress support the following keys:

  • from_port - (Required) The from port to match.
  • to_port - (Required) The to port to match.
  • rule_no - (Required) The rule number. Used for ordering.
  • action - (Required) The action to take.
  • protocol - (Required) The protocol to match. If using the -1 'all' protocol, you must specify a from and to port of 0.
  • cidr_block - (Optional) The CIDR block to match. This must be a valid network mask.
  • ipv6_cidr_block - (Optional) The IPv6 CIDR block.
  • icmp_type - (Optional) The ICMP type to be used. Default 0.
  • icmp_code - (Optional) The ICMP type code to be used. Default 0.

Associating resources with a
Network ACL
Resources do not "belong" to a
Network ACL
Rather, one or more Security Groups are associated to a resource.
Network ACL
via Terraform:
The following HCL creates a network ACL for the specified VPC

resource "aws_network_acl" "main" {
 vpc_id =

 egress {
   protocol   = "tcp"
   rule_no    = 200
   action     = "allow"
   cidr_block = ""
   from_port  = 443
   to_port    = 443

 ingress {
   protocol   = "tcp"
   rule_no    = 100
   action     = "allow"
   cidr_block = ""
   from_port  = 80
   to_port    = 80

 tags = {
   Name = "main"

Network ACL
via CLI:

[--dry-run | --no-dry-run]
--vpc-id <value>
[--tag-specifications <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--endpoint-url <value>]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
[--cli-binary-format <value>]


aws ec2 create-network-acl --vpc-id vpc-a01106c2

Best Practices for
Network ACL

Categorized by Availability, Security & Compliance and Cost

Explore all the rules our platform covers
Related blog posts
All Resources