Network ACLs - Atlas Docs

## Network ACLs Network Access Control Lists (ACLs) act as a stateless firewall for controlling traffic in and out of subnets (tiers) within a [[VPC]]. Unlike Security Groups, which operate at the instance level, Network ACLs apply to all traffic entering or leaving a subnet. ### Key Characteristics - **Stateless**: Responses to allowed inbound traffic are subject to outbound rules (and vice versa). You must explicitly allow return traffic (e.g., ephemeral ports). - **Subnet-Level**: Rules apply to the entire subnet, affecting all instances within it. - **Ordered Evaluation**: Rules are processed in numerical order (lowest number first). The first matching rule determines the action (Allow/Deny). - **Default Deny**: By default, a new ACL list denies all traffic until rules are added. ### Creating an ACL List 1. Navigate to **Network > Network ACL Lists**. 2. Click **Add ACL List**. 3. **Name**: Provide a descriptive name (e.g., "Web-Public-Inbound"). 4. **VPC**: Select the VPC where this list will be used. ### Adding Rules Once the list is created, click on it to add rules: - **Number**: The priority (1-999). Lower numbers are evaluated first. - **CIDR**: The source IP range for Ingress (e.g., `0.0.0.0/0` for internet) or destination for Egress. - **Action**: **Allow** or **Deny**. - **Protocol**: TCP, UDP, ICMP, or All. - **Port Range**: Single port (80) or range (1024-65535). - **Traffic Type**: Ingress (Inbound) or Egress (Outbound). ### Example Configuration: Web Tier **Ingress Rules:** 1. **Prio 100**: Allow TCP 80 from `0.0.0.0/0` (HTTP) 2. **Prio 110**: Allow TCP 443 from `0.0.0.0/0` (HTTPS) 3. **Prio 120**: Allow TCP 22 from `YOUR_OFFICE_IP/32` (SSH Management) **Egress Rules:** 1. **Prio 100**: Allow TCP 1024-65535 to `0.0.0.0/0` (Ephemeral return traffic) 2. **Prio 110**: Allow TCP 80/443 to `0.0.0.0/0` (Software updates) 3. **Prio 120**: Allow UDP/TCP 53 to `0.0.0.0/0` (DNS resolution) ### Associating with a Network To apply the rules: 1. Navigate to **Network > VPC**. 2. Select your VPC and go to the **Networks** tab. 3. Edit the desired Tier (Subnet). 4. Change the **ACL** dropdown to your new list. 5. Save. The changes apply immediately.