Menu
Amazon Virtual Private Cloud
User Guide

Recommended Network ACL Rules for Your VPC

The VPC wizard helps you implement common scenarios for Amazon VPC. If you implement these scenarios as described in the documentation, you'll use the default network access control list (ACL), which allows all inbound and outbound traffic. If you need an additional layer of security, you can create a network ACL and add rules. We recommend the following rules for each scenario.

For more information about network ACLs and how to use them, see Network ACLs.

Important

We use the ephemeral port range 49152-65535 as an example, or 1024-65535 for a NAT gateway. You must select a range that is appropriate for your configuration. For more information, see Ephemeral Ports.

Recommended Rules for Scenario 1

Scenario 1 is a single subnet with instances that can receive and send Internet traffic. For more information, see Scenario 1: VPC with a Single Public Subnet.

The following table shows the rules we recommended. They block all traffic except that which is explicitly required.

Inbound
Rule # Source IP Protocol Port Allow/Deny Comments

100

0.0.0.0/0

TCP

80

ALLOW

Allows inbound HTTP traffic from anywhere

110

0.0.0.0/0

TCP

443

ALLOW

Allows inbound HTTPS traffic from anywhere

120

Public IP address range of your home network

TCP

22

ALLOW

Allows inbound SSH traffic from your home network (over the Internet gateway)

130

Public IP address range of your home network

TCP

3389

ALLOW

Allows inbound RDP traffic from your home network (over the Internet gateway)

140

0.0.0.0/0

TCP

49152-65535

ALLOW

Allows inbound return traffic from requests originating in the subnet

This range is an example only; see Ephemeral Ports for information about choosing the correct ephemeral ports for your configuration.

*

0.0.0.0/0

all

all

DENY

Denies all inbound traffic not already handled by a preceding rule (not modifiable)

Outbound
Rule # Dest IP Protocol Port Allow/Deny Comments

100

0.0.0.0/0

TCP

80

ALLOW

Allows outbound HTTP traffic from the subnet to the Internet

110

0.0.0.0/0

TCP

443

ALLOW

Allows outbound HTTPS traffic from the subnet to the Internet

120

0.0.0.0/0

TCP

49152-65535

ALLOW

Allows outbound responses to clients on the Internet (for example, serving web pages to people visiting the web servers in the subnet)

This range is an example only; see Ephemeral Ports for information about choosing the correct ephemeral ports for your configuration.

*

0.0.0.0/0

all

all

DENY

Denies all outbound traffic not already handled by a preceding rule (not modifiable)

Recommended Rules for Scenario 2

Scenario 2 is a public subnet with instances that can receive and send Internet traffic, and a private subnet that can't receive traffic directly from the Internet. However, it can initiate traffic to the Internet (and receive responses) through a NAT gateway or NAT instance in the public subnet. For more information, see Scenario 2: VPC with Public and Private Subnets (NAT).

For this scenario you have a network ACL for the public subnet, and a separate one for the private subnet. The following table shows the rules we recommend for each ACL. They block all traffic except that which is explicitly required. They mostly mimic the security group rules for the scenario.

ACL Rules for the Public Subnet

Inbound
Rule # Source IP Protocol Port Allow/Deny Comments

100

0.0.0.0/0

TCP

80

ALLOW

Allows inbound HTTP traffic from anywhere

110

0.0.0.0/0

TCP

443

ALLOW

Allows inbound HTTPS traffic from anywhere

120

Public IP address range of your home network

TCP

22

ALLOW

Allows inbound SSH traffic from your home network (over the Internet gateway)

130

Public IP address range of your home network

TCP

3389

ALLOW

Allows inbound RDP traffic from your home network (over the Internet gateway)

140

0.0.0.0/0

TCP

1024-65535

ALLOW

Allows inbound return traffic from requests originating in the subnet

This range is an example only; see Ephemeral Ports for information about choosing the correct ephemeral ports for your configuration.

*

0.0.0.0/0

all

all

DENY

Denies all inbound traffic not already handled by a preceding rule (not modifiable)

Outbound
Rule # Dest IP Protocol Port Allow/Deny Comments

100

0.0.0.0/0

TCP

80

ALLOW

Allows outbound HTTP traffic from the subnet to the Internet

110

0.0.0.0/0

TCP

443

ALLOW

Allows outbound HTTPS traffic from the subnet to the Internet

120

10.0.1.0/24

TCP

1433

ALLOW

Allows outbound MS SQL access to database servers in the private subnet

130

10.0.1.0/24

TCP

3306

ALLOW

Allows outbound MySQL access to database servers in the private subnet

140

0.0.0.0/0

TCP

49152-65535

ALLOW

Allows outbound responses to clients on the Internet (for example, serving web pages to people visiting the web servers in the subnet)

This range is an example only; see Ephemeral Ports for information about choosing the correct ephemeral ports for your configuration.

150

10.0.1.0/24

TCP

22

ALLOW

Allows outbound SSH access to instances in your private subnet (from the SSH bastion)

*

0.0.0.0/0

all

all

DENY

Denies all outbound traffic not already handled by a preceding rule (not modifiable)


ACL Rules for the Private Subnet

Inbound
Rule # Source IP Protocol Port Allow/Deny Comments

100

10.0.0.0/24

TCP

1433

ALLOW

Allows web servers in the public subnet to read and write to MS SQL servers in the private subnet

110

10.0.0.0/24

TCP

3306

ALLOW

Allows web servers in the public subnet to read and write to MySQL servers in the private subnet

120

10.0.0.0/24

TCP

22

ALLOW

Allows inbound SSH traffic from the SSH bastion in the public subnet

130

10.0.0.0/24

TCP

3389

ALLOW

Allows inbound RDP traffic from the Microsoft Terminal Services gateway in the public subnet

140

0.0.0.0/0

TCP

1024-65535

ALLOW

Allows inbound return traffic from the NAT device in the public subnet for requests originating in the private subnet

See the important note at the beginning of this topic about specifying the correct ephemeral ports.

*

0.0.0.0/0

all

all

DENY

Denies all inbound traffic not already handled by a preceding rule (not modifiable)

Outbound
Rule # Dest IP Protocol Port Allow/Deny Comments

100

0.0.0.0/0

TCP

80

ALLOW

Allows outbound HTTP traffic from the subnet to the Internet

110

0.0.0.0/0

TCP

443

ALLOW

Allows outbound HTTPS traffic from the subnet to the Internet

120

10.0.0.0/24

TCP

49152-65535

ALLOW

Allows outbound responses to the public subnet (for example, responses to web servers in the public subnet that are communicating with DB Servers in the private subnet)

This range is an example only; see Ephemeral Ports for information about choosing the correct ephemeral ports for your configuration.

*

0.0.0.0/0

all

all

DENY

Denies all outbound traffic not already handled by a preceding rule (not modifiable)


Recommended Rules for Scenario 3

Scenario 3 is a public subnet with instances that can receive and send Internet traffic, and a VPN-only subnet with instances that can communicate only with your home network over the VPN connection. For more information, see Scenario 3: VPC with Public and Private Subnets and Hardware VPN Access.

For this scenario you have a network ACL for the public subnet, and a separate one for the VPN-only subnet. The following table shows the rules we recommend for each ACL. They block all traffic except that which is explicitly required.

ACL Rules for the Public Subnet

Inbound
Rule # Source IP Protocol Port Allow/Deny Comments

100

0.0.0.0/0

TCP

80

ALLOW

Allows inbound HTTP traffic to the web servers from anywhere

110

0.0.0.0/0

TCP

443

ALLOW

Allows inbound HTTPS traffic to the web servers from anywhere

120

Public IP address range of your home network

TCP

22

ALLOW

Allows inbound SSH traffic to the web servers from your home network (over the Internet gateway)

130

Public IP address range of your home network

TCP

3389

ALLOW

Allows inbound RDP traffic to the web servers from your home network (over the Internet gateway)

140

0.0.0.0/0

TCP

49152-65535

ALLOW

Allows inbound return traffic from requests originating in the subnet

This range is an example only; see Ephemeral Ports for information about choosing the correct ephemeral ports for your configuration.

*

0.0.0.0/0

all

all

DENY

Denies all inbound traffic not already handled by a preceding rule (not modifiable)

Outbound
Rule # Dest IP Protocol Port Allow/Deny Comments

100

0.0.0.0/0

TCP

80

ALLOW

Allows outbound HTTP traffic from the subnet to the Internet

110

0.0.0.0/0

TCP

443

ALLOW

Allows outbound HTTPS traffic from the subnet to the Internet

120

10.0.1.0/24

TCP

1433

ALLOW

Allows outbound MS SQL access to database servers in the VPN-only subnet

130

10.0.1.0/24

TCP

3306

ALLOW

Allows outbound MySQL access to database servers in the VPN-only subnet

140

0.0.0.0/0

TCP

49152-65535

ALLOW

Allows outbound responses to clients on the Internet (for example, serving web pages to people visiting the web servers in the subnet)

This range is an example only; see Ephemeral Ports for information about choosing the correct ephemeral ports for your configuration.

*

0.0.0.0/0

all

all

DENY

Denies all outbound traffic not already handled by a preceding rule (not modifiable)


ACL Settings for the VPN-Only Subnet

Inbound
Rule # Source IP Protocol Port Allow/Deny Comments

100

10.0.0.0/24

TCP

1433

ALLOW

Allows web servers in the public subnet to read and write to MS SQL servers in the VPN-only subnet

110

10.0.0.0/24

TCP

3306

ALLOW

Allows web servers in the public subnet to read and write to MySQL servers in the VPN-only subnet

120

Private IP address range of your home network

TCP

22

ALLOW

Allows inbound SSH traffic from the home network (over the virtual private gateway)

130

Private IP address range of your home network

TCP

3389

ALLOW

Allows inbound RDP traffic from the home network (over the virtual private gateway)

140

Private IP address range of your home network

TCP

49152-65535

ALLOW

Allows inbound return traffic from clients in the home network (over the virtual private gateway)

This range is an example only; see Ephemeral Ports for information about choosing the correct ephemeral ports for your configuration.

*

0.0.0.0/0

all

all

DENY

Denies all inbound traffic not already handled by a preceding rule (not modifiable)

Outbound
Rule # Dest IP Protocol Port Allow/Deny Comments

100

Private IP address range of your home network

All

All

ALLOW

Allows all outbound traffic from the subnet to your home network (over the virtual private gateway). This rule also covers rule 120; however, you can make this rule more restrictive by using a specific protocol type and port number. If you make this rule more restrictive, then you must include rule 120 in your network ACL to ensure that outbound responses are not blocked.

110

10.0.0.0/24

TCP

49152-65535

ALLOW

Allows outbound responses to the web servers in the public subnet

See the important note at the beginning of this topic about specifying the correct ephemeral ports.

120

Private IP address range of your home network

TCP

49152-65535

ALLOW

Allows outbound responses to clients in the home network (over the virtual private gateway).

This range is an example only; see Ephemeral Ports for information about choosing the correct ephemeral ports for your configuration.

*

0.0.0.0/0

all

all

DENY

Denies all outbound traffic not already handled by a preceding rule (not modifiable)


Recommended Rules for Scenario 4

Scenario 4 is a single subnet with instances that can communicate only with your home network over a VPN connection. For a more information, see Scenario 4: VPC with a Private Subnet Only and Hardware VPN Access.

The following table shows the rules we recommended. They block all traffic except that which is explicitly required.

Inbound
Rule # Source IP Protocol Port Allow/Deny Comments

100

Private IP address range of your home network

TCP

22

ALLOW

Allows inbound SSH traffic to the subnet from your home network

110

Private IP address range of your home network

TCP

3389

ALLOW

Allows inbound RDP traffic to the subnet from your home network

120

Private IP address range of your home network

TCP

49152-65535

ALLOW

Allows inbound return traffic from requests originating in the subnet

This range is an example only; see Ephemeral Ports for information about choosing the correct ephemeral ports for your configuration.

*

0.0.0.0/0

all

all

DENY

Denies all inbound traffic not already handled by a preceding rule (not modifiable)

Outbound
Rule # Dest IP Protocol Port Allow/Deny Comments

100

Private IP address range of your home network

All

All

ALLOW

Allows all outbound traffic from the subnet to your home network. This rule also covers rule 120; however, you can make this rule more restrictive by using a specific protocol type and port number. If you make this rule more restrictive, then you must include rule 120 in your network ACL to ensure that outbound responses are not blocked.

120

Private IP address range of your home network

TCP

49152-65535

ALLOW

Allows outbound responses to clients in the home network

This range is an example only; see Ephemeral Ports for information about choosing the correct ephemeral ports for your configuration.

*

0.0.0.0/0

all

all

DENY

Denies all outbound traffic not already handled by a preceding rule (not modifiable)