0
0
AWScloud~5 mins

Network ACLs overview in AWS - Commands & Configuration

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Introduction
Network ACLs control traffic in and out of subnets in a virtual network. They help protect your cloud resources by allowing or blocking specific traffic at the subnet level.
When you want to block certain IP addresses from accessing your subnet.
When you need an extra layer of security beyond security groups.
When you want to control traffic flow between different subnets.
When you want to allow or deny traffic based on protocol or port number.
When you want to log traffic that is allowed or denied for auditing.
Commands
This command creates a new Network ACL in the specified VPC to start controlling subnet traffic.
Terminal
aws ec2 create-network-acl --vpc-id vpc-0abc1234def567890
Expected OutputExpected
{ "NetworkAcl": { "NetworkAclId": "acl-0a1b2c3d4e5f6g7h8", "VpcId": "vpc-0abc1234def567890", "IsDefault": false, "Entries": [], "Associations": [], "Tags": [] } }
--vpc-id - Specifies the VPC where the Network ACL will be created
This command adds a rule to deny outbound TCP traffic on port 80 in the Network ACL.
Terminal
aws ec2 create-network-acl-entry --network-acl-id acl-0a1b2c3d4e5f6g7h8 --rule-number 100 --protocol 6 --port-range From=80,To=80 --egress --rule-action deny
Expected OutputExpected
No output (command runs silently)
--network-acl-id - Specifies which Network ACL to modify
--rule-number - Defines the priority of the rule; lower numbers have higher priority
--egress - Indicates this rule applies to outbound traffic
--rule-action - Sets whether to allow or deny matching traffic
This command shows the details of the Network ACL including its rules to verify the configuration.
Terminal
aws ec2 describe-network-acls --network-acl-ids acl-0a1b2c3d4e5f6g7h8
Expected OutputExpected
{ "NetworkAcls": [ { "NetworkAclId": "acl-0a1b2c3d4e5f6g7h8", "VpcId": "vpc-0abc1234def567890", "Entries": [ { "RuleNumber": 100, "Protocol": "6", "RuleAction": "deny", "Egress": true, "PortRange": { "From": 80, "To": 80 }, "CidrBlock": "0.0.0.0/0", "Ipv6CidrBlock": null } ], "Associations": [], "IsDefault": false } ] }
--network-acl-ids - Filters the output to show only the specified Network ACL
This command links the Network ACL to a specific subnet so its rules control traffic for that subnet.
Terminal
aws ec2 associate-network-acl --network-acl-id acl-0a1b2c3d4e5f6g7h8 --subnet-id subnet-0123456789abcdef0
Expected OutputExpected
{ "AssociationId": "aclassoc-1234abcd5678efgh9" }
--network-acl-id - Specifies the Network ACL to associate
--subnet-id - Specifies the subnet to apply the Network ACL to
Key Concept

If you remember nothing else from this pattern, remember: Network ACLs control traffic at the subnet level by allowing or denying rules in order of rule number.

Common Mistakes
Not specifying the correct VPC ID when creating a Network ACL.
The Network ACL will be created in the wrong VPC or the command will fail.
Always double-check and use the correct VPC ID for your environment.
Using the same rule number for multiple rules in a Network ACL.
Rule numbers must be unique; duplicate numbers cause errors or unexpected behavior.
Assign unique rule numbers to each rule, typically in increments of 100.
Forgetting to associate the Network ACL with a subnet after creating it.
Without association, the Network ACL rules do not apply to any subnet.
Always run the associate-network-acl command to link the ACL to the desired subnet.
Summary
Create a Network ACL in your VPC to start controlling subnet traffic.
Add rules with unique rule numbers to allow or deny specific traffic.
Associate the Network ACL with a subnet to enforce the rules on that subnet.
Verify your Network ACL and its rules using the describe command.