Network ACL (NWACL)

What are Network ACLs (NWACL).

A Network ACL (NWACL) is associated with a VPC-Network, and provides fine-grained Network Access Control, for your VPC-Network.

To open NWACL page for a network, click on "Networks", then click on "Your Networks". Right-click on the network. Click on "Open Access Control".

 

Each Network ACL (NWACL) consists of a list of Rules (NWACL Rules), similar to firewall rules, and could be added to “Allow” or “Deny”, “Incoming” or “Outgoing” network traffic.

NWACL Rules are stateless.

NWACL Rule Syntax and Structure

A NWACL Rule is the smallest unit of control, for enforcing an Access Control policy.

Each NWACL Rule is associated with a single VPC-Network, and is automatically assigned an unmodifiable “ID” by the system, on creation of the Rule.

For each NWACL rule you can:

  • specify a Name
  • specify a Sequence number (any number between 1 and 999,999)
    • Sequence numbers determine the order of execution of rules.
    • Lesser Sequence numbers, have higher priority, and are executed first.
  • select either “Allow” or “Deny” network traffic
  • select either “Incoming” or “Outgoing” network traffic
  • select Protocol -> TCP/UDP/Ping
  • specify application Port number (22, 80, 8080 etc.)
  • specify Network IP(s) or Subnets.

 

Following image depicts sample NWACL rules for a network. You can see there are rules for allowing ("Allow") "incoming" and "outgoing" traffic.

 

Note: Since NWACL rules are primarily added to allow/deny network traffic from one network to another, in case of "Allow" rules, both target and source networks need corresponding "Allow" rules for inflow/outflow of traffic.

 

Supported protocols and port ranges

Supported Protocols are:

  • TCP
  • UDP
  • ICMP (ping)

Supported Port range: 0 to 65535

Rule Evaluation Order and Priority

Each NWACL rule is associated with a Sequence number. A Sequence number can be any number between 1 and 999,999

The order of execution of NWACL rules, associated with a VPC-Network, is determined by the Sequence numbers associated with NWACL rules.

Rules with lesser Sequence numbers, have higher priority, and are executed first. For e.g, for a VPC-Network with multiple NWACL rules, a rule with sequence number 1000 would have a higher priority and would be executed before another rule with sequence number 1001.

Operations on NWACL Rules

Following operations are permitted on NWACL Rules:

  • Add new Rule(s)
  • Copy an existing Rule to create a new Rule. The new Rule will automatically get a unique “ID” assigned to it.
  • Delete a Rule (Saved or Submitted).
  • Modify a non-Submitted Rule.
  • Save a modified Rule.
    • A “Saved” Rule does not get automatically applied to the associated VPC-Network.
    • A “Saved” Rule needs to be “Submitted” to get applied to the associated VPC-Network
  • Submit a Rule
    • Once a Rule is “Submitted”, it gets immediately applied to the associated VPC-Network.
    • A “Submitted” Rule cannot be:
      • modified.
      • re-Submitted.
    • A “Submitted” Rule can be:
      • deleted.
      • copied to create a new un-Submitted and un-Saved Rule.