Custom network ACL - Amazon Virtual Private Cloud
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Custom network ACL

The following example shows a custom network ACL for a VPC that supports IPv4 only. It includes inbound rules that allow HTTP and HTTPS traffic (100 and 110). There's a corresponding outbound rule that enables responses to that inbound traffic (140), which covers ephemeral ports 32768-65535. For more information about how to select the appropriate ephemeral port range, see Ephemeral ports.

The network ACL also includes inbound rules that allow SSH and RDP traffic into the subnet. Outbound rule 120 enables responses to leave the subnet.

The network ACL has outbound rules (100 and 110) that allow outbound HTTP and HTTPS traffic out of the subnet. There's a corresponding inbound rule that enables responses to that outbound traffic (140), which covers ephemeral ports 32768-65535.

Each network ACL includes a default rule whose rule number is an asterisk. This rule ensures that if a packet doesn't match any of the other rules, it's denied. You can't modify or remove this rule.

Inbound
Rule # Type Protocol Port range Source Allow/Deny Comments

100

 HTTP

TCP

80

 0.0.0.0/0

ALLOW

Allows inbound HTTP traffic from any IPv4 address.

110

 HTTPS

TCP

443

 0.0.0.0/0

ALLOW

Allows inbound HTTPS traffic from any IPv4 address.

120

 SSH

TCP

22

 192.0.2.0/24

ALLOW

Allows inbound SSH traffic from your home network's public IPv4 address range (over the internet gateway).

130

 RDP

TCP

3389

 192.0.2.0/24

ALLOW

Allows inbound RDP traffic to the web servers from your home network's public IPv4 address range (over the internet gateway).

140

 Custom TCP

TCP

32768-65535

 0.0.0.0/0

ALLOW

Allows inbound return IPv4 traffic from the internet (that is, for requests that originate in the subnet).

This range is an example only.

*

 All traffic

All

All

 0.0.0.0/0

DENY

Denies all inbound IPv4 traffic not already handled by a preceding rule (not modifiable).
Outbound
Rule # Type Protocol Port range Destination Allow/Deny Comments

100

 HTTP

TCP

80

 0.0.0.0/0

ALLOW

Allows outbound IPv4 HTTP traffic from the subnet to the internet.

110

 HTTPS

TCP

443

 0.0.0.0/0

ALLOW

Allows outbound IPv4 HTTPS traffic from the subnet to the internet.
120 SSH

TCP

1024-65535

 192.0.2.0/24

ALLOW

Allows outbound return SSH traffic to your home network's public IPv4 address range (over the internet gateway).

140

 Custom TCP

TCP

32768-65535

 0.0.0.0/0

ALLOW

Allows outbound IPv4 responses to clients on the internet (for example, serving webpages to people visiting the web servers in the subnet).

This range is an example only.

*

 All traffic

All

All

 0.0.0.0/0

DENY

Denies all outbound IPv4 traffic not already handled by a preceding rule (not modifiable).

As a packet comes to the subnet, we evaluate it against the inbound rules of the ACL that the subnet is associated with (starting at the top of the list of rules, and moving to the bottom). Here's how the evaluation goes if the packet is destined for the HTTPS port (443). The packet doesn't match the first rule evaluated (rule 100). It does match the second rule (110), which allows the packet into the subnet. If the packet had been destined for port 139 (NetBIOS), it doesn't match any of the rules, and the * rule ultimately denies the packet.

You might want to add a deny rule in a situation where you legitimately need to open a wide range of ports, but there are certain ports within the range that you want to deny. Just make sure to place the deny rule earlier in the table than the rule that allows the wide range of port traffic.

You add allow rules depending on your use case. For example, you can add a rule that allows outbound TCP and UDP access on port 53 for DNS resolution. For every rule that you add, ensure that there is a corresponding inbound or outbound rule that allows response traffic.

The following example shows a custom network ACL for a VPC that has an associated IPv6 CIDR block. This network ACL includes rules for all IPv6 HTTP and HTTPS traffic. In this case, new rules were inserted between the existing rules for IPv4 traffic. You can also add the rules as higher number rules after the IPv4 rules. IPv4 and IPv6 traffic are separate, and therefore none of the rules for the IPv4 traffic apply to the IPv6 traffic.

Inbound
Rule # Type Protocol Port range Source Allow/Deny Comments

100

 HTTP

TCP

80

 0.0.0.0/0

ALLOW

Allows inbound HTTP traffic from any IPv4 address.

105

HTTP

TCP

80

::/0

ALLOW

Allows inbound HTTP traffic from any IPv6 address.

110

 HTTPS

TCP

443

 0.0.0.0/0

ALLOW

Allows inbound HTTPS traffic from any IPv4 address.

115

HTTPS

TCP

443

::/0

ALLOW

Allows inbound HTTPS traffic from any IPv6 address.

120

 SSH

TCP

22

 192.0.2.0/24

ALLOW

Allows inbound SSH traffic from your home network's public IPv4 address range (over the internet gateway).

130

 RDP

TCP

3389

 192.0.2.0/24

ALLOW

Allows inbound RDP traffic to the web servers from your home network's public IPv4 address range (over the internet gateway).

140

 Custom TCP

TCP

32768-65535

 0.0.0.0/0

ALLOW

Allows inbound return IPv4 traffic from the internet (that is, for requests that originate in the subnet).

This range is an example only.

145

 Custom TCP TCP 32768-65535 ::/0 ALLOW

Allows inbound return IPv6 traffic from the internet (that is, for requests that originate in the subnet).

This range is an example only.

*

 All traffic

All

All

 0.0.0.0/0

DENY

Denies all inbound IPv4 traffic not already handled by a preceding rule (not modifiable).

*

All traffic

All

All

::/0

DENY

Denies all inbound IPv6 traffic not already handled by a preceding rule (not modifiable).
Outbound
Rule # Type Protocol Port range Destination Allow/Deny Comments

100

 HTTP

TCP

80

 0.0.0.0/0

ALLOW

Allows outbound IPv4 HTTP traffic from the subnet to the internet.

105

HTTP

TCP

80

::/0

ALLOW

Allows outbound IPv6 HTTP traffic from the subnet to the internet.

110

 HTTPS

TCP

443

 0.0.0.0/0

ALLOW

Allows outbound IPv4 HTTPS traffic from the subnet to the internet.

115

HTTPS

TCP

443

::/0

ALLOW

Allows outbound IPv6 HTTPS traffic from the subnet to the internet.

140

 Custom TCP

TCP

32768-65535

 0.0.0.0/0

ALLOW

Allows outbound IPv4 responses to clients on the internet (for example, serving webpages to people visiting the web servers in the subnet).

This range is an example only.

145

Custom TCP

TCP

32768-65535

::/0

ALLOW

Allows outbound IPv6 responses to clients on the internet (for example, serving webpages to people visiting the web servers in the subnet).

This range is an example only.

*

 All traffic

All

All

 0.0.0.0/0

DENY

Denies all outbound IPv4 traffic not already handled by a preceding rule (not modifiable).

*

All traffic

All

All

::/0

DENY

Denies all outbound IPv6 traffic not already handled by a preceding rule (not modifiable).