Table of Contents |
---|
...
Excerpt |
---|
This network ACL |
...
is the recommended baseline for |
...
VPC subnets in Cornell AWS accounts. It should be configured and used on all AWS VPC subnets. You are welcome to make your NACL more stringent, but we recommend careful |
...
consideration before making it less stringent. |
Important IPs and CIDR Blocks
These IPs and CIDR blocks are referenced in the Baseline NACL:
CIDR | DNS Name | Description |
---|---|---|
52.200.35.38/32 | kerberos-aws.login.cornell.edu | AWS-based Cornell Kerberos Server |
52.201.66.104/32 | kerberos-aws2.login.cornell.edu | AWS-based Cornell Kerberos Server |
10.0.0.0/8 | Cornell private network | |
128.84.0.0/16 | Cornell campus public IPs | |
128.253.0.0/16 | Cornell campus public IPs | |
132.236.0.0/16 | Cornell campus public IPs | |
192.35.82.0/24 | Cornell campus public IPs | |
192.122.235.0/24 | Cornell campus public IPs | |
192.122.236.0/24 | Cornell campus public IPs | |
35.170.14.255/32 | test.directory.cornell.edu | AWS-based TEST directory |
3.229.3.150/32 | test.directory.cornell.edu | AWS-based TEST directory |
3.228.209.25/32 | query.directory.cornell.edu | AWS-based PROD directory |
3.218.140.210/32 | query.directory.cornell.edu | AWS-based PROD directory |
100.64.0.0/10 | AWS VPCs can be extended with CIDR blocks in this range. |
Note |
---|
...
Outbound Rules
If you have extended your VPC using CIDR blocks from the 100.64.0.0/10 range, you will need to request a NACL rule quote increase. The default limit for NACL rules is 20. The outbound rule list for the baseline NACL is already 20 rules, not including any rules for 100.64.0.0/10 blocks. You will need to request a quota increase to at least 21 to accommodate a 100.64.0.0/10 rule. See VPC Network ACL quotas in AWS documentation. |
CloudFormation
A CloudFormation template to create a Network ACL for with the baseline rules can be found here: https://github.com/CU-CommunityApps/cu-aws-cloudformation/tree/master/baseline-nacl
Terraform
A Terraform module to create a Network ACL with these baseline rules can be found here: https://github.com/CU-CommunityApps/tf-module-cornell-util/tree/main/modules/aws/baseline-nacl
Manual Configuration
Inbound Rules
Add an additional ALLOW rule 1600 to allow all traffic from source 100.64.0.0/10 if your VPC includes any CIDR blocks in 100.64.0.0/10.
Outbound Rules
Add an additional ALLOW rule 2000 to allow all traffic to destination 100.64.0.0/10 if your VPC includes any CIDR blocks in 100.64.0.0/10.