NetworkAcl
Source:
src/AWS/EC2/NetworkAcl.ts
A network ACL — a stateless firewall that controls inbound and outbound traffic at the subnet level, evaluated as an ordered list of numbered allow/deny rules.
Unlike security groups (which are stateful and attach to interfaces), a
network ACL is associated with subnets and evaluates return traffic
independently, so you typically pair each inbound rule with a matching
ephemeral-port outbound rule. The ACL itself only takes vpcId and tags;
the actual rules live in NetworkAclEntry resources and subnet attachments
in NetworkAclAssociation resources. Changing vpcId replaces the ACL.
Creating Network ACLs
Section titled “Creating Network ACLs”const acl = yield* AWS.EC2.NetworkAcl("PrivateNetworkAcl", { vpcId: vpc.vpcId, tags: { Name: "private-nacl" },});This creates an empty custom ACL in the VPC — it starts with only the implicit default-deny rules, so until you add entries it blocks all traffic on any subnet you associate with it.
Composing Rules and Associations
Section titled “Composing Rules and Associations”A network ACL is only useful once you attach rules and point subnets at it.
The typical pattern is one NetworkAcl, several NetworkAclEntry rules, and
one NetworkAclAssociation per subnet.
const acl = yield* AWS.EC2.NetworkAcl("PrivateNetworkAcl", { vpcId: vpc.vpcId,});
const allowVpc = yield* AWS.EC2.NetworkAclEntry("AllowVpc", { networkAclId: acl.networkAclId, ruleNumber: 100, protocol: "-1", ruleAction: "allow", egress: false, cidrBlock: "10.0.0.0/16",});
const association = yield* AWS.EC2.NetworkAclAssociation("SubnetAssoc", { networkAclId: acl.networkAclId, subnetId: privateSubnet.subnetId,});The entry allows all traffic from within the VPC CIDR and the association
makes the subnet use this ACL instead of the VPC default. Build up the full
rule set by adding more NetworkAclEntry resources with increasing
ruleNumbers.