Restrictive NACL
๐ฆ Overviewโ
This Terraform module provisions a restrictive Network ACL (NACL) for an AWS VPC, locking down network traffic to allow only essential ingress and egress rules.
It's ideal for production workloads, sensitive systems, or subnet zones where only HTTP/HTTPS inbound and limited outbound traffic are permitted.
โ Key Featuresโ
- Creates a custom NACL with strict rules
- Allows inbound HTTP (port 80) and HTTPS (port 443)
- Allows outbound ephemeral ports (1024โ65535)
- Associates the NACL with one or more subnets
- Tags the resource for environment tracking
๐ผ Use Casesโ
- Segmented VPC zones requiring limited exposure
- Frontend services that only require HTTP/S inbound
- Workloads needing tightly controlled egress paths
- Enforcing compliance boundaries within VPC networks
๐ฅ Input Variablesโ
| Name | Type | Description |
|---|---|---|
| region | string | AWS region for deployment |
| vpc_id | string | The ID of the VPC where the NACL will be created |
| subnet_ids | list(string) | List of subnet IDs to associate with the NACL |
| environment | string | Deployment environment tag (e.g., dev, staging, prod) |
๐ค Outputsโ
| Name | Description |
|---|---|
| nacl_id | The ID of the provisioned Network ACL |
| associated_subnet_ids | List of subnet IDs associated with the NACL |
| vpc_id | The ID of the VPC where the NACL was deployed |
๐ Deployment Readinessโ
- โ Compatible with Terraform 1.0+
- โ Tested with AWS provider 5.x
- ๐งช Requires permissions for NACL and subnet association operations
๐ ๏ธ Example Usageโ
module "nacl_restrictive" {
source = "git::ssh://git@github.com/archiphire/aws-level-1-modules.git//network-security/nacl-restrictive?ref=v1.0.0"
region = "us-east-1"
vpc_id = "vpc-0123456789abcdef0"
subnet_ids = ["subnet-abc123", "subnet-def456"]
environment = "prod"
}
terraform init
terraform plan
terraform apply
or
tofu init
tofu plan
tofu apply
๐งน Cleanup Optionsโ
Terraform Destroy (for test environments):
terraform destroy
or
tofu destroy
Manual Deletion (for production):
Remove the NACL manually via AWS Console or CLI to avoid disrupting traffic in integrated systems.
๐ก๏ธ Notesโ
This is a Level 1 network security module designed for restrictive subnet-level access control. To accommodate more specific applications, you can extend the module with additional rule entries for ports or protocols.
๐ Deployment Package Noticeโ
This module is part of the Level 1 AWS License Tier. To access the full deployment package and source code, subscribe to Archiphire.