Network ACL Tests - Custom ACLs

[nephomaniac]

Add tests per these points...
The following table shows an example of a custom network ACL for a VPC that supports IPv4 only. It includes rules that allow HTTP and HTTPS traffic in (inbound rules 100 and 110). There's a corresponding outbound rule that enables responses to that inbound traffic (outbound rule 120, which covers ephemeral ports 49152-65535). For more information about how to select the appropriate ephemeral port range, see Ephemeral Ports.

The network ACL also includes inbound rules that allow SSH and RDP traffic into the subnet. The outbound rule 120 enables responses to egress the subnet.

The network ACL has outbound rules (100 and 110) that allow outbound HTTP and HTTPS traffic out of the subnet. There's a corresponding inbound rule that enables responses to that outbound traffic (inbound rule 140, which covers ephemeral ports 49152-65535).

Note
Each network ACL includes a default rule whose rule number is an asterisk. This rule ensures that if a packet doesn't match any of the other rules, it's denied. You can't modify or remove this rule.
Inbound
Rule # Type Protocol Port Range Source Allow/Deny Comments
100
HTTP
TCP
80
0.0.0.0/0
ALLOW
Allows inbound HTTP traffic from any IPv4 address.
110
HTTPS
TCP
443
0.0.0.0/0
ALLOW
Allows inbound HTTPS traffic from any IPv4 address.
120
SSH
TCP
22
192.0.2.0/24
ALLOW
Allows inbound SSH traffic from your home network's public IPv4 address range (over the Internet gateway).
130
RDP
TCP
3389
192.0.2.0/24
ALLOW
Allows inbound RDP traffic to the web servers from your home network's public IPv4 address range (over the Internet gateway).
140
Custom TCP
TCP
49152-65535
0.0.0.0/0
ALLOW
Allows inbound return IPv4 traffic from the Internet (that is, for requests that originate in the subnet).

For more information about how to select the appropriate ephemeral port range, see Ephemeral Ports.
*
All traffic
All
All
0.0.0.0/0
DENY
Denies all inbound IPv4 traffic not already handled by a preceding rule (not modifiable).
Outbound
Rule # Type Protocol Port Range Destination Allow/Deny Comments
100
HTTP
TCP
80
0.0.0.0/0
ALLOW
Allows outbound IPv4 HTTP traffic from the subnet to the Internet.
110
HTTPS
TCP
443
0.0.0.0/0
ALLOW
Allows outbound IPv4 HTTPS traffic from the subnet to the Internet.
120
Custom TCP
TCP
49152-65535
0.0.0.0/0
ALLOW
Allows outbound IPv4 responses to clients on the Internet (for example, serving web pages to people visiting the web servers in the subnet).

For more information about how to select the appropriate ephemeral port range, see Ephemeral Ports.
*
All traffic
All
All
0.0.0.0/0
DENY
Denies all outbound IPv4 traffic not already handled by a preceding rule (not modifiable).
As a packet comes to the subnet, we evaluate it against the ingress rules of the ACL the subnet is associated with (starting at the top of the list of rules, and moving to the bottom). Here's how the evaluation goes if the packet is destined for the SSL port (443). The packet doesn't match the first rule evaluated (rule 100). It does match the second rule (110), which allows the packet into the subnet. If the packet had been destined for port 139 (NetBIOS), the first two rules would not have matched, but the * rule ultimately would have denied the packet.

You might want to add a DENY rule in a situation where you legitimately need to open a wide range of ports, but there are certain ports within that range you want to deny. Just make sure to place the DENY rule earlier in the table than the rule that allows the wide range of port traffic.

Important
With Elastic Load Balancing, if the subnet for your back-end instances has a network ACL in which you've added a DENY rule for all traffic with a source of 0.0.0.0/0 or the subnet's CIDR, then your load balancer can't carry out health checks on the instances. For more information about the recommended network ACL rules for your load balancers and back-end instances, see Network ACLs for Load Balancers in a VPC in the Classic Load Balancer Guide.
The following table shows the same example of a custom network ACL for a VPC that has an associated IPv6 CIDR block. This network ACL includes rules for all IPv6 HTTP and HTTPS traffic. In this case, new rules were inserted between the existing rules for IPv4 traffic; however, you can also add the rules as higher number rules after the IPv4 rules. IPv4 and IPv6 traffic are separate; therefore, none of the rules for the IPv4 traffic apply to the IPv6 traffic.