Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

Network ACLs for transit gateways in Amazon VPC Transit Gateways

PDF
RSS
Focus mode
Network ACLs for transit gateways in Amazon VPC Transit Gateways - Amazon VPC
Same subnet for EC2 instances and transit gateway associationDifferent subnets for EC2 instances and transit gateway associationBest Practices

A network access control list (NACL) is an optional layer of security.

Network access control list (NACL) rules are applied differently, depending on the scenario:

Same subnet for EC2 instances and transit gateway association

Consider a configuration where you have EC2 instances and a transit gateway association in the same subnet. The same network ACL is used for both the traffic from the EC2 instances to the transit gateway and traffic from the transit gateway to the instances.

NACL rules are applied as follows for traffic from instances to the transit gateway:

  • Outbound rules use the destination IP address for evaluation.

  • Inbound rules use the source IP address for evaluation.

NACL rules are applied as follows for traffic from the transit gateway to the instances:

  • Outbound rules are not evaluated.

  • Inbound rules are not evaluated.

Different subnets for EC2 instances and transit gateway association

Consider a configuration where you have EC2 instances in one subnet and a transit gateway association in a different subnet, and each subnet is associated with a different network ACL.

Network ACL rules are applied as follows for the EC2 instance subnet:

  • Outbound rules use the destination IP address to evaluate traffic from the instances to the transit gateway.

  • Inbound rules use the source IP address to evaluate traffic from the transit gateway to the instances.

NACL rules are applied as follows for the transit gateway subnet:

  • Outbound rules use the destination IP address to evaluate traffic from the transit gateway to the instances.

  • Outbound rules are not used to evaluate traffic from the instances to the transit gateway.

  • Inbound rules use the source IP address to evaluate traffic from the instances to the transit gateway.

  • Inbound rules are not used to evaluate traffic from the transit gateway to the instances.

Best Practices

Use a separate subnet for each transit gateway VPC attachment. For each subnet, use a small CIDR, for example /28, so that you have more addresses for EC2 resources. When you use a separate subnet, you can configure the following:

  • Keep the inbound and outbound NACL that is associated with the transit gateway subnets open.

  • Depending on your traffic flow, you can apply NACLs to your workload subnets.

For more information about how VPC attachments work, see Resource attachments.

On this page

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.