AWScloud~30 mins

Network ACLs overview in AWS - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Network ACLs overview

📖 Scenario: You are setting up a simple network in AWS. You want to control traffic flow at the subnet level using Network ACLs (Access Control Lists). This helps protect your resources by allowing or denying specific traffic.

🎯 Goal: Build a Network ACL with rules that allow inbound HTTP and HTTPS traffic and deny all other inbound traffic. Also, allow all outbound traffic.

📋 What You'll Learn

Create a Network ACL resource named MyNetworkAcl.

Add inbound rules to allow HTTP (port 80) and HTTPS (port 443) traffic.

Add an inbound rule to deny all other traffic.

Add an outbound rule to allow all traffic.

Use valid AWS CloudFormation syntax.

💡 Why This Matters

🌍 Real World

Network ACLs are used in AWS to control traffic at the subnet level, providing an additional layer of security for your cloud resources.

💼 Career

Understanding how to configure Network ACLs is important for cloud engineers and architects to secure AWS environments effectively.

Progress0 / 4 steps

Create the Network ACL resource

Create a Network ACL resource named MyNetworkAcl using AWS CloudFormation syntax. Set the VpcId property to vpc-123abc.

AWS

# Create a Network ACL resource named MyNetworkAcl with VpcId vpc-123abc

Need a hint?

Use the AWS::EC2::NetworkAcl resource type and set VpcId to vpc-123abc.

Add inbound rules to allow HTTP and HTTPS

Add two inbound rules to MyNetworkAcl to allow HTTP traffic on port 80 and HTTPS traffic on port 443. Use rule numbers 100 for HTTP and 110 for HTTPS. Set Protocol to 6 (TCP), RuleAction to allow, and CidrBlock to 0.0.0.0/0.

AWS

Resources:
  MyNetworkAcl:
    Type: AWS::EC2::NetworkAcl
    Properties:
      VpcId: vpc-123abc
      # Add Ingress rules to allow HTTP and HTTPS

Need a hint?

Use NetworkAclEntries with Egress: false for inbound rules. Specify PortRange for each rule.

Add inbound rule to deny all other traffic

Add an inbound rule to MyNetworkAcl that denies all other inbound traffic. Use rule number 120, Protocol -1 (all protocols), RuleAction deny, Egress false, and CidrBlock 0.0.0.0/0.

AWS

Resources:
  MyNetworkAcl:
    Type: AWS::EC2::NetworkAcl
    Properties:
      VpcId: vpc-123abc
      NetworkAclEntries:
        - RuleNumber: 100
          Protocol: 6
          RuleAction: allow
          Egress: false
          CidrBlock: 0.0.0.0/0
          PortRange:
            From: 80
            To: 80
        - RuleNumber: 110
          Protocol: 6
          RuleAction: allow
          Egress: false
          CidrBlock: 0.0.0.0/0
          PortRange:
            From: 443
            To: 443
        # Add a deny all other inbound traffic rule

Need a hint?

Use Protocol: -1 to match all protocols and RuleAction: deny to block traffic.

Add outbound rule to allow all traffic

Add an outbound rule to MyNetworkAcl that allows all outbound traffic. Use rule number 100, Protocol -1, RuleAction allow, Egress true, and CidrBlock 0.0.0.0/0.

AWS

Resources:
  MyNetworkAcl:
    Type: AWS::EC2::NetworkAcl
    Properties:
      VpcId: vpc-123abc
      NetworkAclEntries:
        - RuleNumber: 100
          Protocol: 6
          RuleAction: allow
          Egress: false
          CidrBlock: 0.0.0.0/0
          PortRange:
            From: 80
            To: 80
        - RuleNumber: 110
          Protocol: 6
          RuleAction: allow
          Egress: false
          CidrBlock: 0.0.0.0/0
          PortRange:
            From: 443
            To: 443
        - RuleNumber: 120
          Protocol: -1
          RuleAction: deny
          Egress: false
          CidrBlock: 0.0.0.0/0
        # Add an outbound allow all traffic rule

Need a hint?

Set Egress: true for outbound rules and allow all protocols with Protocol: -1.