Working with AWS Network ACLs via the AWS CLI

- networking aws

This post is part of my note taking while studying for the AWS Certified Advanced Networking - Specialty certification.

Create a Network ACL

$ aws ec2 create-network-acl --vpc-id vpc-5c1a213b

Output:

{
    "NetworkAcl": {
        "Associations": [],
        "NetworkAclId": "acl-498df92f",
        "VpcId": "vpc-5c1a213b",
        "Tags": [],
        "Entries": [
            {
                "CidrBlock": "0.0.0.0/0",
                "RuleNumber": 32767,
                "Protocol": "-1",
                "Egress": true,
                "RuleAction": "deny"
            },
            {
                "CidrBlock": "0.0.0.0/0",
                "RuleNumber": 32767,
                "Protocol": "-1",
                "Egress": false,
                "RuleAction": "deny"
            }
        ],
        "IsDefault": false
    }
}

Describe a Network ACL

$ aws ec2 describe-network-acls --network-acl-id acl-498df92f

Output:

{
    "NetworkAcls": [
        {
            "Associations": [],
            "NetworkAclId": "acl-498df92f",
            "VpcId": "vpc-5c1a213b",
            "Tags": [],
            "Entries": [
                {
                    "CidrBlock": "0.0.0.0/0",
                    "RuleNumber": 32767,
                    "Protocol": "-1",
                    "Egress": true,
                    "RuleAction": "deny"
                },
                {
                    "CidrBlock": "0.0.0.0/0",
                    "RuleNumber": 32767,
                    "Protocol": "-1",
                    "Egress": false,
                    "RuleAction": "deny"
                }
            ],
            "IsDefault": false
        }
    ]
}

Add a rule to a Network ACL

$ aws ec2 create-network-acl-entry --network-acl-id acl-498df92f --ingress --rule-number 100 --protocol tcp --port-range From=22,22 --cidr-block=0.0.0.0/0 --rule-action allow
$ aws ec2 describe-network-acls --network-acl-id acl-498df92f

Output:

{
    "NetworkAcls": [
        {
            "Associations": [],
            "NetworkAclId": "acl-498df92f",
            "VpcId": "vpc-5c1a213b",
            "Tags": [],
            "Entries": [
                {
                    "CidrBlock": "0.0.0.0/0",
                    "RuleNumber": 32767,
                    "Protocol": "-1",
                    "Egress": true,
                    "RuleAction": "deny"
                },
                {
                    "RuleNumber": 100,
                    "Protocol": "6",
                    "PortRange": {
                        "To": 22,
                        "From": 22
                    },
                    "Egress": false,
                    "RuleAction": "allow",
                    "CidrBlock": "0.0.0.0/0"
                },
                {
                    "CidrBlock": "0.0.0.0/0",
                    "RuleNumber": 32767,
                    "Protocol": "-1",
                    "Egress": false,
                    "RuleAction": "deny"
                }
            ],
            "IsDefault": false
        }
    ]
}

Remove a rule from a Network ACL

$ aws ec2 delete-network-acl-entry --network-acl-id acl-498df92f --ingress --rule-number 100
$ aws ec2 describe-network-acls --network-acl-id acl-498df92f

Output:

{
    "NetworkAcls": [
        {
            "Associations": [],
            "NetworkAclId": "acl-498df92f",
            "VpcId": "vpc-5c1a213b",
            "Tags": [],
            "Entries": [
                {
                    "CidrBlock": "0.0.0.0/0",
                    "RuleNumber": 32767,
                    "Protocol": "-1",
                    "Egress": true,
                    "RuleAction": "deny"
                },
                {
                    "CidrBlock": "0.0.0.0/0",
                    "RuleNumber": 32767,
                    "Protocol": "-1",
                    "Egress": false,
                    "RuleAction": "deny"
                }
            ],
            "IsDefault": false
        }
    ]
}

Replace a Network ACL

First, I’ll recreate the inbound SSH rule from above. Then, I’ll change the allowed IP range in to be 153.106.0.0/16. The creation of a NACL doesn’t return any output, but I like to run a describe-networks-acls command to verify the rule looks like I think it should.

$ aws ec2 create-network-acl-entry --network-acl-id acl-498df92f --ingress --rule-number 100 --protocol tcp --port-range From=22,To=22 --cidr-block=0.0.0.0/0 --rule-action allow
$ aws ec2 describe-network-acls --network-acl-id acl-498df92f

Output:

{
    "NetworkAcls": [
        {
            "Associations": [],
            "NetworkAclId": "acl-498df92f",
            "VpcId": "vpc-5c1a213b",
            "Tags": [],
            "Entries": [
                {
                    "CidrBlock": "0.0.0.0/0",
                    "RuleNumber": 32767,
                    "Protocol": "-1",
                    "Egress": true,
                    "RuleAction": "deny"
                },
                {
                    "RuleNumber": 100,
                    "Protocol": "6",
                    "PortRange": {
                        "To": 22,
                        "From": 22
                    },
                    "Egress": false,
                    "RuleAction": "allow",
                    "CidrBlock": "0.0.0.0/0"
                },
                {
                    "CidrBlock": "0.0.0.0/0",
                    "RuleNumber": 32767,
                    "Protocol": "-1",
                    "Egress": false,
                    "RuleAction": "deny"
                }
            ],
            "IsDefault": false
        }
    ]
}

AWS CLI:

$ aws ec2 replace-network-acl-entry --network-acl-id acl-498df92f --ingress --rule-number 100 --protocol tcp --port-range From=22,To=22 --cidr-block=153.106.0.0/16 --rule-action allow
$ describe-network-acls --network-acl-id acl-498df92f

Output:

{
    "NetworkAcls": [
        {
            "Associations": [],
            "NetworkAclId": "acl-498df92f",
            "VpcId": "vpc-5c1a213b",
            "Tags": [],
            "Entries": [
                {
                    "CidrBlock": "0.0.0.0/0",
                    "RuleNumber": 32767,
                    "Protocol": "-1",
                    "Egress": true,
                    "RuleAction": "deny"
                },
                {
                    "RuleNumber": 100,
                    "Protocol": "6",
                    "PortRange": {
                        "To": 22,
                        "From": 22
                    },
                    "Egress": false,
                    "RuleAction": "allow",
                    "CidrBlock": "153.106.0.0/16"
                },
                {
                    "CidrBlock": "0.0.0.0/0",
                    "RuleNumber": 32767,
                    "Protocol": "-1",
                    "Egress": false,
                    "RuleAction": "deny"
                }
            ],
            "IsDefault": false
        }
    ]
}

Assign a Network ACL to a subnet.

Changes which network ACL a subnet is associated with. When you create a subnet, the subnet is associated with the default network ACL. You can associate a network ACL with multiple subnets; however, a subnet can be associated with only one network ACL

$ aws ec2 replace-network-acl-association --association-id aclassoc-e5b95c8c --network-acl-id acl-5fb85d36

Output:

{
    "NewAssociationId": "aclassoc-3999875b"
}

Delete a Network ACL

$ aws ec2 delete-network-acl --network-acl-id acl-498df92f