Updated on 2024-05-06 GMT+08:00

Network ACL Overview

A network ACL is an optional layer of security for your subnets. After you associate one or more subnets with a network ACL, you can control traffic in and out of the subnets.

Figure 1 shows how a network ACL works.

Figure 1 Security groups and network ACLs

Similar to security groups, network ACLs control access to subnets and add an additional layer of defense to your subnets. Security groups only have the "allow" rules, but network ACLs have both "allow" and "deny" rules. You can use network ACLs together with security groups to implement comprehensive and fine-grained access control.

What Is Access Control? summarizes the basic differences between security groups and network ACLs.

Network ACL Basics

  • Your VPC does not come with a network ACL, but you can create a network ACL and associate it with a VPC subnet if required. By default, each network ACL denies all inbound traffic to and outbound traffic from the associated subnet until you add rules.
  • You can associate a network ACL with multiple subnets. However, a subnet can only be associated with one network ACL at a time.
  • Each newly created network ACL is in the Inactive state until you associate subnets with it.
  • Network ACLs are stateful. If the network ACL rule allows outbound traffic and you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound network ACL rules. Similarly, if inbound traffic is allowed, responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules.
  • Network ACLs use connection tracking to track traffic to and from instances. Changes to inbound and outbound rules do not take effect immediately for the existing traffic.

    If you add, modify, or delete a network ACL rule, or associate or disassociate a subnet with or from a network ACL, all the inbound and outbound persistent connections will not be disconnected. New rules will only be applied for the new connections.

After a persistent connection is disconnected, new connections will not be established immediately until the timeout period of connection tracking expires. For example, after an ICMP persistent connection is disconnected, a new connection will be established and a new rule will be applied when the timeout period (30s) expires.

  • The timeout period of connection tracking varies by protocol. The timeout period of a TCP connection in the established state is 600s, and that of an ICMP connection is 30s. For other protocols, if packets are received in both inbound and outbound directions, the connection tracking timeout period is 180s. If packets are received only in one direction, the connection tracking timeout period is 30s.
  • The timeout period of TCP connections varies by connection status. The timeout period of a TCP connection in the established state is 600s, and that of a TCP connection in the FIN-WAIT state is 30s.

Default Network ACL Rules

By default, each network ACL has preset rules that allow the following packets:

  • Packets whose source and destination are in the same subnet.
  • Broadcast packets with the destination 255.255.255.255/32, which is used to configure host startup information.
  • Multicast packets with the destination 224.0.0.0/24, which is used by routing protocols.
  • Metadata packets with the destination 169.254.169.254/32 and TCP port number 80, which is used to obtain metadata.
  • Packets from CIDR blocks that are reserved for public services (for example, packets with the destination 100.125.0.0/16).
  • A network ACL denies all traffic in and out of a subnet excepting the preceding packets. Table 1 shows the default rules. You cannot modify or delete the default rules.
    Table 1 Default network ACL rules

    Direction

    Priority

    Action

    Protocol

    Source

    Destination

    Description

    Inbound

    *

    Deny

    All

    0.0.0.0/0

    0.0.0.0/0

    Denies all inbound traffic.

    Outbound

    *

    Deny

    All

    0.0.0.0/0

    0.0.0.0/0

    Denies all outbound traffic.

How Traffic Matches Network ACL Rules

A subnet can be bound to only one network ACL rule. When multiple rules exist, traffic is matched based on the rule priority. A smaller value indicates a higher priority. The default value is *, which has the lowest priority.

The following takes inbound traffic as an example to match security group rules.
  • If traffic matches a rule:
    • With Action set to Deny, the traffic is denied to flow into the subnet.
    • With Action set to Allow, the traffic is allowed to flow into the subnet.
  • If the traffic does not match any rule, the default rule applies and the traffic is denied to flow into the subnet.
Figure 2 Network ACL matching sequence

Application Scenarios

  • If the application layer needs to provide services for users, traffic must be allowed to reach the application layer from all IP addresses. However, you also need to prevent illegal access from malicious users.

    Solution: You can add network ACL rules to deny access from suspect IP addresses.

  • How can I isolate ports with identified vulnerabilities? For example, how do I isolate port 445 that can be exploited by WannaCry worm?

    Solution: You can add network ACL rules to deny access traffic from a specific port and protocol, for example, TCP port 445.

  • No defense is required for the communication within a subnet, but access control is required for communication between subnets.

    Solution: You can add network ACL rules to control traffic between subnets.

  • For frequently accessed applications, a security rule sequence may need to be adjusted to improve performance.

    Solution: A network ACL allows you to adjust the rule sequence so that frequently used rules are applied before other rules.

Configuration Procedure

Figure 3 shows the procedure for configuring a network ACL.

Figure 3 network ACL configuration procedure
  1. Create a network ACL by following the steps described in Creating a Network ACL.
  2. Add network ACL rules by following the steps described in Adding a Network ACL Rule (Default Effective Sequence).
  3. Associate subnets with the network ACL by following the steps described in Associating Subnets with a Network ACL. After subnets are associated with the network ACL, the subnets will be protected by the configured network ACL rules.

Notes and Constraints

  • By default, each account can have up to 200 network ACLs in a region.
  • A network ACL can contain no more than 100 rules in one direction, or performance will deteriorate.
  • A network ACL can have up to 124 rules to be associated with IP address groups in one direction.