Skip to content

NetworkAcl

Source: src/AWS/EC2/NetworkAcl.ts

A network ACL — a stateless firewall that controls inbound and outbound traffic at the subnet level, evaluated as an ordered list of numbered allow/deny rules.

Unlike security groups (which are stateful and attach to interfaces), a network ACL is associated with subnets and evaluates return traffic independently, so you typically pair each inbound rule with a matching ephemeral-port outbound rule. The ACL itself only takes vpcId and tags; the actual rules live in NetworkAclEntry resources and subnet attachments in NetworkAclAssociation resources. Changing vpcId replaces the ACL.

const acl = yield* AWS.EC2.NetworkAcl("PrivateNetworkAcl", {
vpcId: vpc.vpcId,
tags: { Name: "private-nacl" },
});

This creates an empty custom ACL in the VPC — it starts with only the implicit default-deny rules, so until you add entries it blocks all traffic on any subnet you associate with it.

A network ACL is only useful once you attach rules and point subnets at it. The typical pattern is one NetworkAcl, several NetworkAclEntry rules, and one NetworkAclAssociation per subnet.

const acl = yield* AWS.EC2.NetworkAcl("PrivateNetworkAcl", {
vpcId: vpc.vpcId,
});
const allowVpc = yield* AWS.EC2.NetworkAclEntry("AllowVpc", {
networkAclId: acl.networkAclId,
ruleNumber: 100,
protocol: "-1",
ruleAction: "allow",
egress: false,
cidrBlock: "10.0.0.0/16",
});
const association = yield* AWS.EC2.NetworkAclAssociation("SubnetAssoc", {
networkAclId: acl.networkAclId,
subnetId: privateSubnet.subnetId,
});

The entry allows all traffic from within the VPC CIDR and the association makes the subnet use this ACL instead of the VPC default. Build up the full rule set by adding more NetworkAclEntry resources with increasing ruleNumbers.