Network ACLs
Network Access Control Lists (ACLs) act as a stateless firewall for controlling traffic in and out of subnets (tiers) within a VPC. Unlike Security Groups, which operate at the instance level, Network ACLs apply to all traffic entering or leaving a subnet.
Key Characteristics
- Stateless: Responses to allowed inbound traffic are subject to outbound rules (and vice versa). You must explicitly allow return traffic (e.g., ephemeral ports).
- Subnet-Level: Rules apply to the entire subnet, affecting all instances within it.
- Ordered Evaluation: Rules are processed in numerical order (lowest number first). The first matching rule determines the action (Allow/Deny).
- Default Deny: By default, a new ACL list denies all traffic until rules are added.
Creating an ACL List
- Navigate to Network > Network ACL Lists.
- Click Add ACL List.
- Name: Provide a descriptive name (e.g., “Web-Public-Inbound”).
- VPC: Select the VPC where this list will be used.
Adding Rules
Once the list is created, click on it to add rules:
- Number: The priority (1-999). Lower numbers are evaluated first.
- CIDR: The source IP range for Ingress (e.g.,
0.0.0.0/0for internet) or destination for Egress. - Action: Allow or Deny.
- Protocol: TCP, UDP, ICMP, or All.
- Port Range: Single port (80) or range (1024-65535).
- Traffic Type: Ingress (Inbound) or Egress (Outbound).
Example Configuration: Web Tier
Ingress Rules:
- Prio 100: Allow TCP 80 from
0.0.0.0/0(HTTP) - Prio 110: Allow TCP 443 from
0.0.0.0/0(HTTPS) - Prio 120: Allow TCP 22 from
YOUR_OFFICE_IP/32(SSH Management)
Egress Rules:
- Prio 100: Allow TCP 1024-65535 to
0.0.0.0/0(Ephemeral return traffic) - Prio 110: Allow TCP 80/443 to
0.0.0.0/0(Software updates) - Prio 120: Allow UDP/TCP 53 to
0.0.0.0/0(DNS resolution)
Associating with a Network
To apply the rules:
- Navigate to Network > VPC.
- Select your VPC and go to the Networks tab.
- Edit the desired Tier (Subnet).
- Change the ACL dropdown to your new list.
- Save. The changes apply immediately.