Custom network ACLs
The following example shows a custom network ACL for a VPC that supports IPv4 only. It includes inbound rules that allow HTTP and HTTPS traffic (100 and 110). There's a corresponding outbound rule that enables responses to that inbound traffic (140), which covers ephemeral ports 32768-65535. For more information about how to select the appropriate ephemeral port range, see Ephemeral ports.
The network ACL also includes inbound rules that allow SSH and RDP traffic into the subnet. Outbound rule 120 enables responses to leave the subnet.
The network ACL has outbound rules (100 and 110) that allow outbound HTTP and HTTPS traffic out of the subnet. There's a corresponding inbound rule that enables responses to that outbound traffic (140), which covers ephemeral ports 32768-65535.
Each network ACL includes a default rule whose rule number is an asterisk. This rule ensures that if a packet doesn't match any of the other rules, it's denied. You can't modify or remove this rule.
The following table shows the inbound rules for a custom network ACL for a VPC that supports IPv4 only.
Rule # | Type | Protocol | Port range | Source | Allow/Deny | Comments |
---|---|---|---|---|---|---|
100 |
HTTP |
TCP |
80 |
0.0.0.0/0 |
ALLOW |
Allows inbound HTTP traffic from any IPv4 address. |
110 |
HTTPS |
TCP |
443 |
0.0.0.0/0 |
ALLOW |
Allows inbound HTTPS traffic from any IPv4 address. |
120 |
SSH |
TCP |
22 |
192.0.2.0/24 |
ALLOW |
Allows inbound SSH traffic from your home network's public IPv4 address range (over the internet gateway). |
130 |
RDP |
TCP |
3389 |
192.0.2.0/24 |
ALLOW |
Allows inbound RDP traffic to the web servers from your home network's public IPv4 address range (over the internet gateway). |
140 |
Custom TCP |
TCP |
32768-65535 |
0.0.0.0/0 |
ALLOW |
Allows inbound return IPv4 traffic from the internet (that is, for requests that originate in the subnet). This range is an example only. |
* |
All traffic |
All |
All |
0.0.0.0/0 |
DENY |
Denies all inbound IPv4 traffic not already handled by a preceding rule (not modifiable). |
The following table shows the outbound rules for a custom network ACL for a VPC that supports IPv4 only.
Rule # | Type | Protocol | Port range | Destination | Allow/Deny | Comments |
---|---|---|---|---|---|---|
100 |
HTTP |
TCP |
80 |
0.0.0.0/0 |
ALLOW |
Allows outbound IPv4 HTTP traffic from the subnet to the internet. |
110 |
HTTPS |
TCP |
443 |
0.0.0.0/0 |
ALLOW |
Allows outbound IPv4 HTTPS traffic from the subnet to the internet. |
120 | SSH |
TCP |
1024-65535 |
192.0.2.0/24 |
ALLOW |
Allows outbound return SSH traffic to your home network's public IPv4 address range (over the internet gateway). |
140 |
Custom TCP |
TCP |
32768-65535 |
0.0.0.0/0 |
ALLOW |
Allows outbound IPv4 responses to clients on the internet (for example, serving webpages to people visiting the web servers in the subnet). This range is an example only. |
* |
All traffic |
All |
All |
0.0.0.0/0 |
DENY |
Denies all outbound IPv4 traffic not already handled by a preceding rule (not modifiable). |
As a packet comes to the subnet, we evaluate it against the inbound rules of the ACL that the subnet is associated with (starting at the top of the list of rules, and moving to the bottom). Here's how the evaluation goes if the packet is destined for the HTTPS port (443). The packet doesn't match the first rule evaluated (rule 100). It does match the second rule (110), which allows the packet into the subnet. If the packet had been destined for port 139 (NetBIOS), it doesn't match any of the rules, and the * rule ultimately denies the packet.
You might want to add a deny rule in a situation where you legitimately need to open a wide range of ports, but there are certain ports within the range that you want to deny. Just make sure to place the deny rule earlier in the table than the rule that allows the wide range of port traffic.
You add allow rules depending on your use case. For example, you can add a rule that allows outbound TCP and UDP access on port 53 for DNS resolution. For every rule that you add, ensure that there is a corresponding inbound or outbound rule that allows response traffic.
The following example shows a custom network ACL for a VPC that has an associated IPv6 CIDR block. This network ACL includes rules for all IPv6 HTTP and HTTPS traffic. In this case, new rules were inserted between the existing rules for IPv4 traffic. You can also add the rules as higher number rules after the IPv4 rules. IPv4 and IPv6 traffic are separate, and therefore none of the rules for the IPv4 traffic apply to the IPv6 traffic.
The following table shows the inbound rules for a custom network ACL for a VPC that has an associated IPv6 CIDR block.
Rule # | Type | Protocol | Port range | Source | Allow/Deny | Comments |
---|---|---|---|---|---|---|
100 |
HTTP |
TCP |
80 |
0.0.0.0/0 |
ALLOW |
Allows inbound HTTP traffic from any IPv4 address. |
105 |
HTTP |
TCP |
80 |
::/0 |
ALLOW |
Allows inbound HTTP traffic from any IPv6 address. |
110 |
HTTPS |
TCP |
443 |
0.0.0.0/0 |
ALLOW |
Allows inbound HTTPS traffic from any IPv4 address. |
115 |
HTTPS |
TCP |
443 |
::/0 |
ALLOW |
Allows inbound HTTPS traffic from any IPv6 address. |
120 |
SSH |
TCP |
22 |
192.0.2.0/24 |
ALLOW |
Allows inbound SSH traffic from your home network's public IPv4 address range (over the internet gateway). |
130 |
RDP |
TCP |
3389 |
192.0.2.0/24 |
ALLOW |
Allows inbound RDP traffic to the web servers from your home network's public IPv4 address range (over the internet gateway). |
140 |
Custom TCP |
TCP |
32768-65535 |
0.0.0.0/0 |
ALLOW |
Allows inbound return IPv4 traffic from the internet (that is, for requests that originate in the subnet). This range is an example only. |
145 |
Custom TCP | TCP | 32768-65535 | ::/0 | ALLOW |
Allows inbound return IPv6 traffic from the internet (that is, for requests that originate in the subnet). This range is an example only. |
* |
All traffic |
All |
All |
0.0.0.0/0 |
DENY |
Denies all inbound IPv4 traffic not already handled by a preceding rule (not modifiable). |
* |
All traffic |
All |
All |
::/0 |
DENY |
Denies all inbound IPv6 traffic not already handled by a preceding rule (not modifiable). |
The following table shows the outbound rules for a custom network ACL for a VPC that has an associated IPv6 CIDR block.
Rule # | Type | Protocol | Port range | Destination | Allow/Deny | Comments |
---|---|---|---|---|---|---|
100 |
HTTP |
TCP |
80 |
0.0.0.0/0 |
ALLOW |
Allows outbound IPv4 HTTP traffic from the subnet to the internet. |
105 |
HTTP |
TCP |
80 |
::/0 |
ALLOW |
Allows outbound IPv6 HTTP traffic from the subnet to the internet. |
110 |
HTTPS |
TCP |
443 |
0.0.0.0/0 |
ALLOW |
Allows outbound IPv4 HTTPS traffic from the subnet to the internet. |
115 |
HTTPS |
TCP |
443 |
::/0 |
ALLOW |
Allows outbound IPv6 HTTPS traffic from the subnet to the internet. |
140 |
Custom TCP |
TCP |
32768-65535 |
0.0.0.0/0 |
ALLOW |
Allows outbound IPv4 responses to clients on the internet (for example, serving webpages to people visiting the web servers in the subnet). This range is an example only. |
145 |
Custom TCP |
TCP |
32768-65535 |
::/0 |
ALLOW |
Allows outbound IPv6 responses to clients on the internet (for example, serving webpages to people visiting the web servers in the subnet). This range is an example only. |
* |
All traffic |
All |
All |
0.0.0.0/0 |
DENY |
Denies all outbound IPv4 traffic not already handled by a preceding rule (not modifiable). |
* |
All traffic |
All |
All |
::/0 |
DENY |
Denies all outbound IPv6 traffic not already handled by a preceding rule (not modifiable). |
Custom network ACLs and other AWS services
If you create a custom network ACL, be aware of how it might affect resources that you create using other AWS services.
With Elastic Load Balancing, if the subnet for your backend instances has a network ACL in which you've
added a deny rule for all traffic with a source of either
0.0.0.0/0
or the subnet's CIDR, your load balancer can't carry out health
checks on the instances. For more information about the recommended network ACL rules for your
load balancers and backend instances, see the following: