AWS Network ACL (Access Control List)
AWS Network ACL (Access Control List) is a security feature that controls inbound and outbound traffic to and from your Amazon Web Services (AWS) Virtual Private Cloud (VPC).
Network ACLs are stateless, which explicitly must allow both inbound and outbound traffic for each direction. Each subnets within a VPC can have separate network ACLs, and each network ACL can have multiple rules.
Network ACLs allow or deny traffic based on rules that defined. These rules can specify the source and destination IP addresses, ports, and protocols. Network ACLs are evaluated in order, starting with the lowest numbered rule, and the first rule that matches the traffic is applied. If no rules match the traffic, the default rule is applied.
Here is an example of an AWS Network ACL :
resource "aws_network_acl" "main_acl" {
vpc_id = aws_vpc.main_vpc.id
egress {
protocol = "tcp"
rule_no = 200
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = 443
to_port = 443
}
ingress {
protocol = "tcp"
rule_no = 100
action = "allow"
cidr_block = "0.0.0.0/0"
from_port = 80
to_port = 80
}
tags = {
Name = "main_acl"
}
}
Network ACLs in conjunction with Security Groups to provide multiple layers of security for a VPC. While Network ACLs operate at the subnet level, Security Groups operate at the instance level.
Top comments (0)