Network ACL rules - Amazon Virtual Private Cloud

Network ACL rules

You can add or remove rules from the default network ACL, or create additional network ACLs for your VPC. When you add or remove rules from a network ACL, the changes are automatically applied to the subnets that it's associated with.

The following are the parts of a network ACL rule:

  • Rule number. Rules are evaluated starting with the lowest numbered rule. As soon as a rule matches traffic, it's applied regardless of any higher-numbered rule that might contradict it.

  • Type. The type of traffic; for example, SSH. You can also specify all traffic or a custom range.

  • Protocol. You can specify any protocol that has a standard protocol number. For more information, see Protocol Numbers. If you specify ICMP as the protocol, you can specify any or all of the ICMP types and codes.

  • Port range. The listening port or port range for the traffic. For example, 80 for HTTP traffic.

  • Source. [Inbound rules only] The source of the traffic (CIDR range).

  • Destination. [Outbound rules only] The destination for the traffic (CIDR range).

  • Allow/Deny. Whether to allow or deny the specified traffic.

If you add a rule using a command line tool or the Amazon EC2 API, the CIDR range is automatically modified to its canonical form. For example, if you specify 100.68.0.18/18 for the CIDR range, we create a rule with a 100.68.0.0/18 CIDR range.