You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 12 Next »



This network ACL is the recommended baseline for AWS VPC subnets. It should be configured and used on all AWS VPC subnets. You are welcome to make your NACL more stringent, but we recommend careful consideration before making it less stringent.

Important IPs and CIDR Blocks

These IPs and CIDR blocks are referenced in the Baseline NACL:

CIDRDNS NameDescription
52.200.35.38/32kerberos-aws.login.cornell.eduAWS-based Cornell Kerberos Server
52.201.66.104/32kerberos-aws2.login.cornell.eduAWS-based Cornell Kerberos Server
10.0.0.0/8
Cornell private network
128.84.0.0/16
Cornell campus public IPs
128.253.0.0/16
Cornell campus public IPs
132.236.0.0/16
Cornell campus public IPs
192.35.82.0/24
Cornell campus public IPs
192.122.235.0/24
Cornell campus public IPs
192.122.236.0/24
Cornell campus public IPs
35.170.14.255/32test.directory.cornell.eduAWS-based TEST directory
3.229.3.150/32test.directory.cornell.eduAWS-based TEST directory
3.228.209.25/32query.directory.cornell.eduAWS-based PROD directory
3.218.140.210/32query.directory.cornell.eduAWS-based PROD directory
100.64.0.0/10
AWS VPCs can be extended with CIDR blocks in this range.


If you have extended your VPC using CIDR blocks from the 100.64.0.0/10 range, you will need to request a NACL rule quote increase. The default limit for NACL rules is 20. The outbound rule list for the baseline NACL is already 20 rules, not including any rules for 100.64.0.0/10 blocks. You will need to request a quota increase to at least 21 to accommodate a 100.64.0.0/10 rule. See VPC Network ACL quotas in AWS documentation.

CloudFormation

A CloudFormation template to create a Network ACL for with the baseline rules can be found here: https://github.com/CU-CommunityApps/cu-aws-cloudformation/tree/master/baseline-nacl

Manual Configuration

Inbound Rules

(warning) Add an additional ALLOW rule 1600 to allows all traffic from source 100.64.0.0/10 if your VPC includes any CIDR blocks in 100.64.0.0/10.

Outbound Rules

(warning) Add an additional ALLOW rule 2000 to allows all traffic to destination 100.64.0.0/10 if your VPC includes any CIDR blocks in 100.64.0.0/10.

  • No labels