AwsConceptBeginner · 3 min read

What is Network ACL in VPC: Simple Explanation and Example

A network ACL in a VPC is a security layer that controls traffic in and out of subnets by allowing or denying specific IP addresses and ports. It acts like a firewall at the subnet level, filtering traffic before it reaches instances.

⚙️

How It Works

Think of a network ACL as a security guard standing at the entrance of a neighborhood (the subnet). This guard checks every car (network packet) coming in or going out and decides if it can pass based on a list of rules. These rules specify which cars are allowed or denied based on their license plate (IP address) and type (port/protocol).

Unlike security groups that work like personal bodyguards for each house (instance), network ACLs protect the whole neighborhood. They evaluate traffic in order, from the lowest to highest rule number, and apply the first matching rule. If no rule matches, the traffic is denied by default, making it a strict gatekeeper.

💻

Example

This example shows how to create a network ACL in AWS using Terraform. It allows inbound HTTP traffic and denies all other inbound traffic, while allowing all outbound traffic.

terraform

resource "aws_network_acl" "example" {
  vpc_id = "vpc-12345678"
  tags = {
    Name = "example-acl"
  }
}

resource "aws_network_acl_rule" "allow_http_inbound" {
  network_acl_id = aws_network_acl.example.id
  rule_number    = 100
  egress        = false
  protocol      = "6"  # TCP
  rule_action   = "allow"
  cidr_block    = "0.0.0.0/0"
  from_port    = 80
  to_port      = 80
}

resource "aws_network_acl_rule" "deny_all_inbound" {
  network_acl_id = aws_network_acl.example.id
  rule_number    = 200
  egress        = false
  protocol      = "-1"  # all protocols
  rule_action   = "deny"
  cidr_block    = "0.0.0.0/0"
  from_port    = 0
  to_port      = 0
}

resource "aws_network_acl_rule" "allow_all_outbound" {
  network_acl_id = aws_network_acl.example.id
  rule_number    = 100
  egress        = true
  protocol      = "-1"
  rule_action   = "allow"
  cidr_block    = "0.0.0.0/0"
  from_port    = 0
  to_port      = 0
}

Output

Apply complete! Resources: 4 added, 0 changed, 0 destroyed.

🎯

When to Use

Use network ACLs when you want to control traffic at the subnet level, especially for broad rules that apply to many instances. They are useful for adding an extra layer of security or blocking known bad IP addresses before traffic reaches your instances.

For example, you might use a network ACL to block all traffic from a suspicious IP range or to allow only HTTP and HTTPS traffic into a public subnet. They work well alongside security groups, which control traffic at the instance level.

✅

Key Points

Network ACLs act as a firewall for subnets, controlling inbound and outbound traffic.
Rules are evaluated in order, and the first match is applied.
They are stateless, so return traffic must be explicitly allowed.
Default network ACL denies all inbound and allows all outbound traffic.
Use them for broad subnet-level traffic control alongside security groups.

✅

Key Takeaways

Network ACLs control traffic at the subnet level by allowing or denying IP traffic based on rules.

They are stateless, so you must allow both inbound and outbound traffic explicitly.

Rules are processed in order, and the first matching rule is applied.

Use network ACLs to add broad security controls alongside instance-level security groups.

By default, network ACLs deny all inbound and allow all outbound traffic.