Skip to content

Network ACL

Create a Network ACL and Rules

Network ACLs may optionally be created by defining the value of the network_acls attribute as a map object within a VPC defined in the vpcs variable. Rules may optionally be created by defining a values for the rules attribute within a network ACL. See below for an example:

Note: The example below does not represent a complete VPC configuration. 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
vpcs = {
    SharedInfra = {
        ...
        network_acls = {
            DevACL = {
                rules = {
                    Allow_All_Outbound = {
                        rule_number = 100
                        protocol = "-1"
                        rule_action = "allow"
                        egress = true
                        cidr_block = "0.0.0.0/0"
                    }
                    Allow_ICMP_Inbound = {
                        rule_number = 110
                        protocol = "icmp"
                        rule_action = "allow"
                        egress = false
                        icmp_type = -1
                        icmp_code = -1
                        cidr_block = "0.0.0.0/0"
                    }
                    Allow_Ephemeral_Ports_Inbound = {
                        rule_number = 120
                        protocol = "tcp"
                        rule_action = "allow"
                        egress = false
                        from_port = 32768
                        to_port = 65535
                        cidr_block = "0.0.0.0/0"
                    }
                }
            }
        }
        ...
    }
}

Attach a Network ACL to a Subnet

Network ACLs may optionally be attached to subnets by defining the value of the network_acl attribute within a subnet defined in the subnets attribute of a VPC. The value of the network_acl attribute should be the key of a network ACL defined in the network_acls attribute of the same VPC. See below for an example:

Note: The example below does not represent a complete VPC configuration. 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
vpcs = {
    SharedInfra = {
        ...
        subnets = {
            SharedInfraPrivateAZ1 = {
                zone = "us-west-2a"
                block = "10.248.13.0/26"
                route_table = "ngwaz1"
                network_acl = "DevACL"
            }
            SharedInfraPrivateAZ2 = {
                zone = "us-west-2b"
                block = "10.248.13.64/26"
                route_table = "ngwaz2"
                network_acl = "DevACL"
            }
            SharedInfraPublicAZ1 = {
                zone = "us-west-2a"
                block = "10.248.13.128/26"
                route_table = "igw"
                network_acl = "DevACL"
            }
            SharedInfraPublicAZ2 = {
                zone = "us-west-2b"
                block = "10.248.13.192/26"
                route_table = "igw"
                network_acl = "DevACL"
            }
        }
        ...
    }
}