Configure Network ACL
Hi,
I want to configure network ACL to allow client IP addresses alone in inbound rule for aws transfer family.
As of now am using security as a security group.
As my project requires security as Network ACL need to configure.
Below is my stack sample stack.
SecurityGroup:
Type: AWS::EC2::SecurityGroup
Properties:
GroupName: "Production Security Group"
GroupDescription: "Security Group with inbound and outbound rule"
VpcId: !Ref VPC
SecurityGroupIngress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 0.0.0.0/0
- IpProtocol: udp
FromPort: 69
ToPort: 69
CidrIp: 96.47.148.171/32
- IpProtocol: tcp
FromPort: 22
ToPort: 22
CidrIp: 3.16.146.0/29
SecurityGroupEgress:
- IpProtocol: tcp
FromPort: 80
ToPort: 80
CidrIp: 0.0.0.0/0
Tags:
- Key: Name
Value: !Sub ${EnvironmentName} SecurityGroup
EndpointDetails:
VpcId: !Ref VPC
SubnetIds:
- !Ref PublicSubnet
AddressAllocationIds:
- !GetAtt NatGatewayEIP.AllocationId
Tags:
- Key: Name
Value: !Sub ${EnvironmentName} EndpointDetails
- 新しい順
- 投票が多い順
- コメントが多い順
Hi Mehandra,
Here you need use two CloudFormation resources : AWS::EC2::NetworkAcl and AWS::EC2::NetworkAclEntry. First create NetworkAcl and in NetworkAclEntry you allow/deny specific IPs/CIDR.
You can find good example here : https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-ec2-networkaclentry.html#aws-resource-ec2-networkaclentry--examples
BUT before implementing it please note that NetworkACLs are associated with subnets so if you run any resource under that subnet then only IP which is allowed in NetworkACL will able to access resource. **If your goal is protect only specific resource I would still recommend Security Group because with NetworkACL you are restricting access for whole subnet. **
