Skip to content

Network ACLs

A network access control list (ACL) is an optional layer of security for your VPC for controlling traffic in and out of one or more subnets.

NACLs

Select any of the subnets, and scroll down to the Network ACL tab to look at the default NACL rules. Rules are evaluated in order from lowest to highest. If the traffic doesn’t match any rules, the * rule is applied, and the traffic is denied. Default NACLs allow all inbound and outbound traffic, as shown below, unless customized.

NACLs

Create a new Network ACL for workload subnets in VPC A

  1. On the VPC Dashboard click on Network ACLs

  2. Click Create network ACL

    NACL Dashboard

  3. In the Network ACL settings screen

    • Enter a name of VPC A Workload Subnets NACL
    • Select VPC A from the dropdown
    • Click Create network ACL

    Create Workload Subnets NACL

    The result will be a new NACL for VPC A alongside the default NACL created when the VPC was created.

  4. In the resulting Network ACLs screen

    • Select the checkbox for VPC A Workload Subnets NACL
    • Scroll down to the Subnet associations tab
    • Click Edit subnet associations

    Edit NACL Associations

  5. In the Edit subnet associations screen

    • Select all four VPC A subnets to associate them with the NACL
    • Click Save changes.

    Select Subnets

    The NACL should now be associated with four subnets on the following screen but because NACLs are created with only a DENY rule for inbound and outbound we will now change the default NACL rules to allow all traffic in both directions.

  6. In the Network ACLs screen

    • Select the check box for VPC A Workload Subnets NACL for VPC A
    • Scroll down and select the Inbound Rules tab below
    • Notice that we have only DENY all rule
    • Click Edit inbound rules

    Edit Rules

  7. In Edit inbound rules screen

    • Click Add new rule
    • Input 100 in Rule number
    • Choose All traffic in Type
    • Leave Source as 0.0.0.0/0
    • Click Save changes

    Save Changes

  8. In the resulting screen you should have a success banner and a new Allow rule under the Inbound rules tab:

    Success Screen

    Now follow the same steps described above for Inbound, but work on Outbound Rules tab of NACLs

  9. On the Outbound Rules tab

    • Note that we have only DENY all rule
    • Click Edit outbound rules

    Outbound Rules

  10. In the Edit outbound rules screen

    • Click Add new rule
    • Input 100 in Rule number
    • Choose All traffic in Type
    • Leave Destination as 0.0.0.0/0
    • Click Save changes

    Edit Outbound Rules

  11. On the resulting screen check that the rule has been added under the Outbound rules tab

Save Changes

Important

Allowing all traffic in and out of your subnets is not a good security posture. You can use NACLs to set broad rules and/or DENY rules, and then use Security Groups to create fine grained rules. For example, you can deny traffic from specific IPs with NACLs but not with Security Groups.

We will explore Network ACLs and Security Groups more in the Basic Security section.