CloudWiki

Amazon Web Service (AWS)

Network ACL

Security
A network access control list (NACL) is an optional layer of security to security groups at the subnet level within your VPC that acts as a firewall for controlling inbound and outbound traffic.
aws_network_acl
Network ACL
attributes:
  • vpc_id - (Required) The ID of the associated VPC.
  • subnet_ids - (Optional) A list of Subnet IDs to apply the ACL to
  • ingress - (Optional) Specifies an ingress rule. Parameters defined below. This argument is processed in attribute-as-blocks mode.
  • egress - (Optional) Specifies an egress rule. Parameters defined below. This argument is processed in attribute-as-blocks mode.
  • tags - (Optional) A map of tags to assign to the resource. If configured with a provider default_tags configuration block present, tags with matching keys will overwrite those defined at the provider-level.

egress and ingress

Both arguments are processed in attribute-as-blocks mode.

Both egress and ingress support the following keys:

  • from_port - (Required) The from port to match.
  • to_port - (Required) The to port to match.
  • rule_no - (Required) The rule number. Used for ordering.
  • action - (Required) The action to take.
  • protocol - (Required) The protocol to match. If using the -1 'all' protocol, you must specify a from and to port of 0.
  • cidr_block - (Optional) The CIDR block to match. This must be a valid network mask.
  • ipv6_cidr_block - (Optional) The IPv6 CIDR block.
  • icmp_type - (Optional) The ICMP type to be used. Default 0.
  • icmp_code - (Optional) The ICMP type code to be used. Default 0.

Associating resources with a
Network ACL
Resources do not "belong" to a
Network ACL
Rather, one or more Security Groups are associated to a resource.
Create
Network ACL
via Terraform:
The following HCL creates a network ACL for the specified VPC
Syntax:

resource "aws_network_acl" "main" {
 vpc_id = aws_vpc.main.id

 egress {
   protocol   = "tcp"
   rule_no    = 200
   action     = "allow"
   cidr_block = "10.3.0.0/18"
   from_port  = 443
   to_port    = 443
 }

 ingress {
   protocol   = "tcp"
   rule_no    = 100
   action     = "allow"
   cidr_block = "10.3.0.0/18"
   from_port  = 80
   to_port    = 80
 }

 tags = {
   Name = "main"
 }
}

Create
Network ACL
via CLI:
Parametres:

create-network-acl
[--dry-run | --no-dry-run]
--vpc-id <value>
[--tag-specifications <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
[--debug]
[--endpoint-url <value>]
[--no-verify-ssl]
[--no-paginate]
[--output <value>]
[--query <value>]
[--profile <value>]
[--region <value>]
[--version <value>]
[--color <value>]
[--no-sign-request]
[--ca-bundle <value>]
[--cli-read-timeout <value>]
[--cli-connect-timeout <value>]
[--cli-binary-format <value>]
[--no-cli-pager]
[--cli-auto-prompt]
[--no-cli-auto-prompt]

Example:

aws ec2 create-network-acl --vpc-id vpc-a01106c2

Best Practices for
Network ACL

Categorized by Availability, Security & Compliance and Cost

Info
Security Group (SG) changes alarm
Explore all the rules our platform covers
All Resources