Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

Network ACL rules

PDF
RSS
Focus mode
Network ACL rules - Amazon Virtual Private Cloud
Considerations

You can add or remove rules from the default network ACL, or create additional network ACLs for your VPC. When you add or remove rules from a network ACL, the changes are automatically applied to the subnets that it's associated with.

The following are the parts of a network ACL rule:

  • Rule number. Rules are evaluated starting with the lowest numbered rule. As soon as a rule matches traffic, it's applied regardless of any higher-numbered rule that might contradict it.

  • Type. The type of traffic; for example, SSH. You can also specify all traffic or a custom range.

  • Protocol. You can specify any protocol that has a standard protocol number. For more information, see Protocol Numbers. If you specify ICMP as the protocol, you can specify any or all of the ICMP types and codes.

  • Port range. The listening port or port range for the traffic. For example, 80 for HTTP traffic.

  • Source. [Inbound rules only] The source of the traffic (CIDR range).

  • Destination. [Outbound rules only] The destination for the traffic (CIDR range).

  • Allow/Deny. Whether to allow or deny the specified traffic.

For example rules, see Example: Control access to instances in a subnet.

Considerations

  • There are quotas (also known as limits) for the number of rules per network ACLs. For more information, see Amazon VPC quotas.

  • When you add or delete a rule from an ACL, any subnets that are associated with the ACL are subject to the change. The changes take effect after a short period.

  • If you add a rule using a command line tool or the Amazon EC2 API, the CIDR range is automatically modified to its canonical form. For example, if you specify 100.68.0.18/18 for the CIDR range, we create a rule with a 100.68.0.0/18 CIDR range.

  • You might want to add a deny rule in a situation where you must open a wide range of ports, but there are certain ports within the range that you want to deny. Be sure to give the deny rule a lower number than the rule that allows the wider range of port traffic.

  • If you add and delete rules from a network ACL at the same time, be careful. If you delete inbound or outbound rules and then add more new entries than are allowed (see Amazon VPC quotas, the entries selected for deletion are removed and new entries are not added. This can cause unexpected connectivity issues and prevent access to and from your VPC.

On this page

Related resources

VPC Peering Guide
Amazon VPC Transit Gateways
Amazon EC2 Developer Guide

Related resources

VPC Peering Guide
Amazon VPC Transit Gateways
Amazon EC2 Developer Guide
PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.