You can add or remove rules from the default network ACL, or create additional network ACLs for your VPC. When you add or remove rules from a network ACL, the changes are automatically applied to the subnets that it's associated with.
The following are the parts of a network ACL rule:
-
Rule number. Rules are evaluated starting with the lowest numbered rule. As soon as a rule matches traffic, it's applied regardless of any higher-numbered rule that might contradict it.
-
Type. The type of traffic; for example, SSH. You can also specify all traffic or a custom range.
-
Protocol. You can specify any protocol that has a standard protocol number. For more information, see Protocol Numbers
. If you specify ICMP as the protocol, you can specify any or all of the ICMP types and codes. -
Port range. The listening port or port range for the traffic. For example, 80 for HTTP traffic.
-
Source. [Inbound rules only] The source of the traffic (CIDR range).
-
Destination. [Outbound rules only] The destination for the traffic (CIDR range).
-
Allow/Deny. Whether to allow or deny the specified traffic.
If you add a rule using a command line tool or the Amazon EC2 API, the CIDR range is
automatically modified to its canonical form. For example, if you specify
100.68.0.18/18
for the CIDR range, we create a rule with a
100.68.0.0/18
CIDR range.