Network ACL (NWACL)

What are Network ACLs (NWACL).

A Network ACL (NWACL) is associated with a VPC-Network, and provides fine-grained Network Access Control, for your VPC-Network.

To open NWACL page for a network, click on "Networks", then click on "Your Networks". Right-click on the network. Click on "Open Access Control".

 

Each Network ACL (NWACL) consists of a list of Rules (NWACL Rules), similar to firewall rules, and can be used to “Allow” or “Deny”, “Incoming” or “Outgoing” network traffic.

NWACL Rule

A NWACL Rule is the smallest unit of control, for enforcing an Access Control policy.

Each NWACL Rule is associated with a single VPC-Network, and is automatically assigned an unmodifiable “ID” by the system, on creation of the Rule.

For each NWACL rule you can:

  • specify a Name
  • specify a Sequence number
    • Sequence numbers determine the order of execution of rules.
    • Lesser Sequence numbers, have higher priority, and are executed first.
  • select either “Allow” or “Deny” network traffic
  • select either “Incoming” or “Outgoing” network traffic
  • select Protocol -> TCP/UDP/Ping
  • specify application Port number (22, 80, 8080 etc.)
  • specify Network IP(s) or Subnets.

 

Following image depicts sample NWACL rules for a network. You can see there are rules for allowing ("Allow") "incoming" and "outgoing" traffic.

 

Note that since NWACL rules are primarily used to allow/deny network traffic from one network to another, in case of "Allow" rules, the target/source network might also need corresponding "Allow" rules for inflow/outflow of traffic.

 

Following operations are permitted on NWACL Rules:

  • Add new Rule(s)
  • Copy an existing Rule to create a new Rule, which will automatically be assigned a unique “ID”.
  • Delete a Rule (Saved or Submitted).
  • Modify a non-Submitted Rule.
  • Save a modified Rule.
    • A “Saved” Rule is not applied to your VPC-Network.
    • It needs to be “Submitted” to be applied to your VPC-Network
  • Submit a Rule
    • A “Submitted” Rule is applied to the Network.
    • A “Submitted” Rule cannot be:
      • modified.
      • re-Submitted.
    • A “Submitted” Rule can be:
      • deleted.
      • copied to create a new un-Submitted and un-Saved Rule.