All Products
Search
Document Center

Elastic Compute Service:Strengthen network access control with network ACLs

Last Updated:Apr 27, 2026

Combine network ACLs with security groups for defense-in-depth subnet traffic control.

Security risks

Security groups operate at the NIC level and define per-instance access rules. Network ACLs operate at the subnet level and filter traffic between subnets. Together, they form a layered defense that mitigates risks from misconfigured security group rules or unprotected instances.

When traffic enters a Virtual Private Cloud (VPC), it reaches a vSwitch first. The network ACL filters traffic before security groups or Cloud Firewall, blocking illegitimate inbound traffic to save processing resources and unnecessary outbound traffic to save bandwidth.

Supplement security group rules with a network ACL

image

Background and challenges

In cloud environments, you often connect multiple VPCs to enable cross-service communication. Consider two VPCs:

  • VPC1 (10.200.0.0/16): Hosts applications that access resources in VPC2.

  • VPC2 (10.1.0.0/16): Hosts service instances in a complex network environment.

Initially, to simplify development and accelerate deployment, VPC2's security group rules were overly permissive. For example, some security groups opened ports to the entire 10.0.0.0/8 CIDR block, and some ECS instances intended only for internal access allowed access from all sources (0.0.0.0/0).

When you connect VPC1 and VPC2 with a VPC peering connection, these risks become apparent. The goal is to allow VPC1 services to access port 80 on the 10.1.38.0/24 cluster in VPC2. However, precise security group rules for the target cluster alone are insufficient. A peering connection links the 10.200.0.0/16 and 10.1.0.0/16 CIDR blocks partially or entirely, so misconfigured instances in VPC2 could be accidentally exposed to VPC1.

Solution: Use a network ACL to strengthen border security

To establish a clear security border, configure a network ACL on the vSwitch in VPC2 that connects to VPC1. A network ACL is a stateless packet filter at the subnet level. It acts as a subnet firewall and is applied before security groups.

The configuration policy is as follows:

  1. Deny by default: Set a default rule to deny all inbound traffic from VPC1 (10.200.0.0/16) and all outbound traffic to VPC1. This establishes a secure baseline where the two VPCs cannot communicate without explicit permission.

  2. Allow specific traffic: Add higher-priority rules to allow bidirectional communication on port 80 between VPC1 (10.200.0.0/16) and the target cluster in VPC2 (10.1.38.0/24).

    • Inbound rule: Allow inbound TCP traffic on port 80 from 10.200.0.0/16 to 10.1.38.0/24.

    • Outbound rule: Allow outbound TCP response traffic from 10.1.38.0/24 to 10.200.0.0/16 on an ephemeral port range.

With this configuration, the vSwitch uses the network ACL to filter out unauthorized requests first. Only explicitly allowed traffic reaches the ECS instances. Even if some security group rules are flawed, the instances remain unexposed to VPC1.