IP services and securityIntermediate42 min read

What Is Inbound ACL? Security Definition

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

An inbound ACL is like a bouncer at the entrance of a building who checks everyone coming in. It looks at each data packet trying to enter a network device and either lets it through or stops it based on rules you set. This helps protect the network from unwanted or harmful traffic before it gets inside.

Common Commands & Configuration

ip access-list extended BLOCK_SSH deny tcp any any eq 22 permit ip any any

Creates an extended ACL that blocks all inbound SSH traffic (TCP port 22) and permits all other IP traffic. Applied inbound on an external interface.

CCNA and Security+ exams test the order: the deny for SSH must come before the permit any. Otherwise, the permit any matches first and SSH traffic is allowed.

interface gigabitethernet 0/0 ip access-group BLOCK_SSH in

Applies the extended ACL named BLOCK_SSH to the inbound direction on interface GigabitEthernet 0/0.

The 'in' keyword specifies inbound direction. Exam questions often ask where to apply the ACL to block external traffic entering the network.

access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 80

Standard numbered extended ACL (100) that permits inbound TCP traffic from source network 192.168.1.0/24 to any destination on port 80.

Tests understanding of wildcard masks (0.0.0.255) and that numbered ACLs 100-199 are extended. Common in Network+ and CCNA for permit web traffic.

ip access-list extended SECURE_MGMT permit tcp host 10.10.10.5 any eq 22 deny tcp any any eq 22 permit ip any any

Allows SSH only from the specific management host 10.10.10.5 and denies all other SSH, then permits all other traffic.

Tests the 'host' keyword for a specific IP and the sequential match logic. Must place the permit before the deny. Exam scenarios often involve restricting management access.

aws ec2 create-network-acl-entry --network-acl-id acl-12345 --ingress --rule-number 100 --protocol tcp --port-range From=22,To=22 --cidr-block 0.0.0.0/0 --rule-action deny

Creates an inbound NACL entry in AWS to deny all SSH traffic from any source, evaluated at rule number 100.

AWS SAA exams focus on NACL rule numbers and the fact that NACLs support explicit deny. The lower rule number is evaluated first, so this will deny SSH before any higher numbered permit rule.

access-list 110 remark BLOCK_INTERNAL_HOSTS

Adds a remark to ACL 110 for documentation purposes. Remarks are not evaluated but appear in the config.

CCNA tests the 'remark' keyword as a best practice for documenting ACLs. Often appears in multiple-choice questions asking how to document ACL entries.

show ip access-list

Displays all configured IP ACLs along with hit counts for each entry, showing how many packets have matched.

This command is critical for troubleshooting inbound ACLs. Exams test that hit counts help identify which rule is blocking or allowing traffic. Security+ questions may refer to this for log analysis.

configure terminal ip access-list extended ALLOW_HTTPS_ONLY permit tcp any host 203.0.113.10 eq 443 deny ip any any interface eth0 ip access-group ALLOW_HTTPS_ONLY in

Configures an inbound ACL that only allows HTTPS traffic to destination IP 203.0.113.10, blocking all other traffic implicitly.

Note the explicit 'deny ip any any' is redundant because of implicit deny, but including it is common for clarity. Exams sometimes ask whether the deny line is necessary.

Must Know for Exams

Inbound ACLs are a recurring topic across multiple IT certification exams, each with its own emphasis. For CompTIA A+, the term appears lightly in the context of basic network security and home router configuration. You might see questions about why you would enable a firewall rule to block inbound traffic on a specific port. For Network+, inbound ACLs are more significant. The exam objectives include understanding ACL concepts, how they filter traffic, and basic configuration scenarios. You might be asked to interpret an ACL configuration or identify where an ACL should be placed (inbound vs. outbound).

For Security+, inbound ACLs are a primary topic. The exam covers access control lists as a network security control, including the difference between standard and extended ACLs, and the concept of implicit deny. You could get a scenario question where a company wants to restrict SSH access to a server from only the administrator's IP. You must recognize that an inbound ACL on the server's network interface is the correct solution. You might also see questions about troubleshooting connectivity issues caused by an incorrect ACL order.

In Cisco CCNA, inbound ACLs are a core exam objective. You will need to understand how to configure and verify standard and extended ACLs on Cisco routers, including the correct syntax, placement (inbound vs. outbound), and the order of ACEs. You will need to know that an ACL filters based on the first match, and that the implicit deny blocks all unmatched traffic. The exam includes simulation questions where you must identify why a host cannot reach a server, and the answer involves an ACL blocking inbound traffic. You must also understand the difference between inbound and outbound ACLs: inbound filters before the route lookup, outbound filters after.

For cloud certifications like AWS Solutions Architect (SAA), AZ-104 (Azure), and Google ACE, inbound rules are essential. You need to know the difference between security groups (stateful) and network ACLs (stateless). Exam questions often present a scenario where a web server is not responding, and you must check the inbound rules of the security group and the NACL. Understanding that a stateless ACL requires explicit inbound and outbound rules for traffic to flow is a common trap. For example, if you allow inbound HTTP from the internet but block outbound traffic from the subnet in the NACL, HTTP responses will be dropped. The exam tests this nuance.

In every exam, the common thread is understanding the direction of filtering. Many learners confuse inbound and outbound. Remember: inbound ACLs check traffic entering an interface. This is a favorite exam trap. You might be given a topology and asked where to place an ACL to block traffic from the internet to a private server; the correct answer is the inbound direction on the internet-facing interface.

Simple Meaning

Imagine you are hosting a party at your house. You have a front door, and you decide who gets to come in. You might have a list of friends who are allowed, and you might also have a rule that no one wearing a red shirt can enter because you have had trouble with people in red shirts before. An inbound ACL is exactly that, but for your computer network. It is a set of instructions placed on the entry point of a router, switch, or firewall. Every piece of data, called a packet, that tries to come into your network through that entry point has to be checked against these instructions first.

Think of your network like a secure office building. The inbound ACL is the security guard at the main entrance. The guard has a clipboard with rules. Some rules say, "Let in anyone from the trusted partner company (by checking their ID badge)." Other rules say, "Block anyone trying to come from a known suspicious address." The guard does not let anyone just walk in; every single person is stopped and checked. If the person matches a rule that says "allow," they go in. If they match a rule that says "deny," they are turned away before they even step inside the lobby.

This is important because it stops problems before they start. If you only check traffic after it has already entered your network (that is an outbound ACL), the damage might already be happening. With an inbound ACL, you filter at the front door. For example, if a hacker from a bad IP address tries to send a virus to a computer inside your network, the inbound ACL on your router sees that packet, checks the source IP address, sees it is on the "deny" list, and drops the packet immediately. The hacker never even gets a response, and your internal computer never sees the malicious data.

Inbound ACLs are used on all sorts of network devices. On a home router, you might not see the term, but it is there, blocking incoming connections from the internet that you did not ask for. On a corporate firewall, an inbound ACL is the first line of defense, controlling what external traffic can reach internal servers like web servers or email servers. On cloud services like Amazon Web Services (AWS), a security group or network ACL works in a similar way, filtering traffic entering a virtual network. The key idea is always the same: you are inspecting incoming data and making a decision before it gets to its destination.

Full Technical Definition

An Access Control List (ACL) is a sequential list of permit or deny statements, known as Access Control Entries (ACEs), that apply to packet filtering. An inbound ACL is specifically applied to traffic entering a network interface on a device such as a router, Layer 3 switch, or firewall. The ACL is evaluated top-down; the first matching ACE determines the action (permit or deny) for the packet. If no match occurs, an implicit deny all rule at the end of the ACL blocks the packet. This default behavior is critical for security, as it ensures that only explicitly permitted traffic is allowed.

Inbound ACLs operate at different layers of the OSI model. Standard ACLs filter based solely on the source IP address (Layer 3). Extended ACLs can filter on source and destination IP addresses, protocol type (TCP, UDP, ICMP, etc.), and Layer 4 port numbers. For example, an extended inbound ACL on a router's WAN interface could permit incoming TCP traffic destined for port 80 (HTTP) on a specific internal web server, while denying all other traffic. The router examines each incoming packet, extracts the relevant header fields, and compares them against the ACEs in order.

Configuration of inbound ACLs varies by platform. On Cisco IOS, the command syntax uses access-list numbers (1-99 for standard, 100-199 for extended) or named ACLs, followed by the permit or deny keyword, and then the match criteria. The ACL is then applied to an interface with the ip access-group command in the inbound direction. For example: access-list 100 permit tcp any host 192.168.1.10 eq 80 followed by interface GigabitEthernet0/0 and ip access-group 100 in. This sequence creates an extended ACL that permits any TCP traffic from any source to the specific host on port 80, applied inbound on the interface.

In modern networks, ACLs are also implemented in next-generation firewalls (NGFWs) and cloud environments. In AWS, a Network ACL (NACL) is a stateless firewall that controls inbound traffic at the subnet level. Each NACL rule has a rule number, type (HTTP, SSH, etc.), protocol, port range, source CIDR, and allow/deny action. Unlike stateless NACLs, security groups (SGs) are stateful and operate at the instance level, but they also apply inbound rules. In Azure, Network Security Groups (NSGs) function similarly with inbound security rules that include priority, source, destination, port, and protocol. Google Cloud Platform uses firewall rules that can be applied at the VPC level or to individual instances, with direction set to ingress.

A key technical nuance is the concept of statefulness. A stateful firewall (like a security group in AWS or a modern NGFW) automatically tracks the state of connections and allows return traffic for outbound-initiated sessions. In contrast, a stateless ACL (like a Cisco standard ACL or an AWS NACL) does not track state. Each packet is evaluated independently. This means that with a stateless inbound ACL, you must explicitly allow return traffic if you have an outbound rule; otherwise, replies will be blocked. This is a common source of configuration errors.

The placement of inbound ACLs is strategic. They are typically placed on interfaces that face untrusted networks, such as the internet-facing interface of a border router. By filtering at the entry point, the ACL reduces the load on internal devices and prevents malicious traffic from traversing the internal network. In a layered security approach (defense in depth), inbound ACLs are one of the first lines of defense, often working in concert with intrusion prevention systems (IPS) and endpoint security.

Performance considerations are also important. Each incoming packet must be compared against the ACL entries until a match is found. A large, poorly ordered ACL can introduce latency. Best practices include placing the most frequently matched rules at the top of the ACL to speed up processing. Hardware acceleration can mitigate performance impacts on enterprise devices.

Standards and protocols involved include IP (IPv4 and IPv6), TCP, UDP, ICMP, and sometimes application-layer protocols when using advanced ACL features like reflexive ACLs or time-based ACLs. Reflexive ACLs create temporary inbound permits for traffic that was initiated from inside the network, providing a form of stateful filtering. Time-based ACLs allow rules to be active only during specific times of the day or days of the week, useful for restricting access during non-business hours.

Real-Life Example

Let me tell you about a door policy at a busy nightclub. The club has a huge line of people waiting to get in. At the front door, there is a bouncer named Alex. Alex has a list of rules on a tablet. The first rule is that anyone on the VIP list gets in immediately. The second rule says nobody wearing sports team jerseys is allowed, because there was a fight last week. The third rule says all guests must be 21 or older. The fourth rule says anyone with a backpack must have it searched. These rules are applied in order, one by one, to every person trying to enter.

Now, this nightclub is your network, and Alex's tablet is your inbound ACL. Each person in line is a data packet trying to enter your network. Alex does not wait until the person is inside the club to check them; he checks them at the door. If a person is on the VIP list (a trusted IP address), Alex lets them right in. If a person is wearing a jersey (a known malicious source IP), Alex stops them at the door and says, "Sorry, you are not coming in." If a person is only 19 (a blocked port or protocol), Alex turns them away. This is exactly how an inbound ACL works: it examines each packet as it arrives at the interface and decides whether to permit or deny entry based on the first matching rule.

What happens if a person does not match any rule on the list? Alex's club policy says that if someone is not explicitly allowed, they are denied entry. That is the implicit deny all. So even if a person looks friendly and has no jersey, if they are not on any allow rule, they are turned away. In networking, if a packet does not match any ACE in the ACL, the implicit deny at the end blocks it. This means you must explicitly permit any traffic you want to allow.

The order of the rules matters hugely. In the club, if Alex had the "no jerseys" rule first and the VIP list second, then a VIP who happens to be wearing a jersey would be denied entry because the bouncer checks the jersey rule first. That would be a big mistake. In an ACL, once a packet matches a rule, no further rules are checked. So if a permit rule for a specific IP is listed after a deny rule that includes that same IP, the deny rule will block it. This is why ACLs must be carefully ordered, with more specific rules placed before broader ones.

Also, the bouncer cannot change the rules on the fly for every person. The rules are set by the club owner, just as an ACL is configured by the network administrator. If a new threat emerges, like a group of troublemakers wearing blue shirts, the owner updates the list, and the bouncer uses the new list from that moment on. Similarly, if a new malicious IP is identified, the admin adds a deny rule to the inbound ACL, and it starts blocking that traffic immediately.

The same concept applies to cloud computing. Imagine you have a server in AWS that hosts a website. The inbound security group rules act like the bouncer for that server. They allow traffic on port 80 (HTTP) from all internet users, but they block traffic on port 22 (SSH) from everyone except your office IP. This ensures that only web visitors can reach the server, and only you can administer it. The analogy holds perfectly across all networking environments.

Why This Term Matters

Inbound ACLs are a fundamental security control in any network. They are the first line of defense against unauthorized access, malicious attacks, and unwanted traffic. Without an inbound ACL, your network devices would accept all incoming traffic by default, turning your network into a playground for attackers. They could probe your systems, attempt to exploit vulnerabilities, or launch denial-of-service attacks. By filtering at the entry point, you drastically reduce your attack surface.

In practical IT, inbound ACLs are used to enforce security policies. For example, you might allow only specific remote offices to access your internal management interfaces. You might block known malicious IP addresses based on threat intelligence feeds. You might allow only VPN traffic into your corporate network from the internet, dropping everything else. These rules are implemented using inbound ACLs on your edge routers or firewalls.

Performance and efficiency also matter. By dropping unwanted traffic at the border, you reduce the load on internal devices like servers and intrusion detection systems. This can improve overall network performance and reduce the cost of processing malicious traffic. In a cloud environment, inbound rules also have cost implications, as some cloud providers charge for data processing that occurs even when traffic is eventually dropped.

Compliance is another reason. Many regulations like PCI DSS, HIPAA, and GDPR require organizations to implement access controls that restrict inbound traffic. An inbound ACL provides a clear, auditable mechanism to demonstrate that only necessary services are exposed to external networks. It is a core component of a defense-in-depth strategy, working with firewalls, IPS, and endpoint protection to create multiple layers of security.

How It Appears in Exam Questions

Inbound ACL questions appear in various formats: multiple-choice, scenario-based, configuration interpretation, and troubleshooting. Multiple-choice questions might ask: "Which of the following ACL rules would block all inbound traffic from the 192.168.1.0/24 subnet?" You would need to identify the correct syntax, such as "access-list 10 deny 192.168.1.0 0.0.0.255." Another common format: "An administrator applies an ACL to an interface in the inbound direction. What does this mean?" The correct answer is that the ACL filters packets before the router processes or forwards them.

Scenario-based questions are popular in Security+ and CCNA. For example: "A company has a web server at 192.168.1.10 that should be reachable from the internet on port 443. All other inbound traffic should be blocked. Which ACL configuration should be applied to the internet-facing interface in the inbound direction?" You would need to choose the answer with a permit entry for TCP port 443 to the specific host and an implicit deny (which is automatic). The trick might be that a candidate answer includes a deny all entry, which is unnecessary but not incorrect. Another scenario: "After applying an ACL, employees cannot access the internet. The ACL was applied inbound on the internal interface. Why does this cause a problem?" The answer: filtering inbound blocks traffic from the internal network to the router, effectively blocking outbound traffic because it is entering the router from an internal interface.

Troubleshooting questions are very common. For instance: "A network technician applied an inbound ACL on the WAN interface of a router to allow only HTTP traffic to the web server. Users can reach the web server from the internet, but the server's log shows no connections. What is the most likely issue?" The answer might be that the ACL is blocking the returning traffic because it is stateless, but that is not the issue because inbound ACLs only affect incoming packets. Actually, the issue could be that the ACL is blocking the outgoing web server responses on the same interface if it is applied inbound, but inbound direction does not affect outgoing packets. The real problem might be that the ACL is blocking TCP SYN packets correctly but the server's responses are allowed by a separate outbound ACL, which is missing. Such nuanced scenarios test deep understanding.

In cloud exams, questions often present a VPC and ask: "A web server in a public subnet cannot be accessed from the internet. The instance's security group allows HTTP from 0.0.0.0/0. What should you check next?" The answer: check the inbound rules of the network ACL associated with the subnet. Another common trap: "You allow inbound HTTP from the internet in the NACL but the web server still does not respond. Why?" Because the NACL is stateless and the outbound rule for ephemeral ports (1024-65535) might be missing, so response packets are dropped.

Another pattern is comparing standard vs extended ACLs. A question might say: "Which type of ACL should be used to block inbound traffic from a specific host to a specific service?" The answer: extended ACL because it can filter on both source and destination IP and port. Standard ACLs only filter on source IP, making them unsuitable for this granularity.

Configuration interpretation questions provide a partial ACL and ask what effect it has. For example: "Given the following ACL applied inbound on interface G0/0: deny ip 10.0.0.0 0.0.0.255 any. What happens to traffic from 10.0.0.5 destined to 8.8.8.8?" It is denied. Then they might ask about traffic from 192.168.1.1: it would be permitted by the implicit deny? No, it would be denied because no explicit permit exists. That helps reinforce the implicit deny concept.

Practise Inbound ACL Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

You are a network administrator for a small company. The company has a single server that hosts a company website and a file sharing service. The web server's internal IP address is 192.168.1.100. Employees need to access the file sharing service from within the office, and customers need to access the website from the internet. The company also has a remote worker who needs to connect to the server using Remote Desktop Protocol (RDP) from his home IP address 203.0.113.5.

Your goal is to create an inbound ACL on the company's router that is connected to the internet. This ACL will control which traffic is allowed to enter the network and reach the server. You want to allow HTTP (port 80) and HTTPS (port 443) from any internet user to the web server. You want to allow RDP (port 3389) only from the remote worker's home IP. All other inbound traffic to the server should be blocked. Also, you must ensure that internal traffic from employees to the file sharing service (which uses port 445, SMB) is not affected, because that traffic does not enter through the internet-facing interface.

First, you determine that the ACL should be applied inbound on the router's WAN interface, the one facing the internet. You create an extended ACL because you need to filter by destination port and also by source IP for the RDP rule. You write the following entries in order:

1. Permit TCP from host 203.0.113.5 to host 192.168.1.100 eq 3389 (allow RDP from remote worker) 2. Permit TCP from any to host 192.168.1.100 eq 80 (allow HTTP from anywhere) 3. Permit TCP from any to host 192.168.1.100 eq 443 (allow HTTPS from anywhere) 4. Deny IP from any to any (this is the implicit deny, but you can add it explicitly for clarity)

Once applied, a customer browsing the website from the internet sends a packet destined to the server's IP on port 80. The router checks the inbound ACL. The first rule does not match because the source IP is not the remote worker's. The second rule does match because it allows any source on port 80, so the packet is permitted and forwarded to the server. The website loads successfully. A hacker trying to SSH into the server (port 22) sends a packet. It does not match the first three rules, so it matches the implicit deny, and the packet is dropped. The hacker never gets a response. The remote worker connects from his home IP on port 3389. The first rule matches, and RDP access is granted. However, if the remote worker's IP changes, his connection will be denied, which is a real-world issue.

Now, suppose you reversed the order: you placed the deny all rule first. Then all traffic would be denied, including web traffic. That is a common mistake. Also, if you forgot to include the explicit permit rules and relied on the implicit deny, the default would block everything, which might seem safe but would break all inbound services. The scenario demonstrates how ACL order and explicit permits are critical for functionality.

Common Mistakes

Placing a deny all rule at the beginning of the ACL.

Because ACLs are processed top-down, a deny all rule at the top will block every packet before it can match any subsequent permit rules. The entire ACL becomes useless for permitting any traffic.

Place the most specific permit rules at the top, and let the implicit deny at the end handle the blocking. Never put a deny all as the first entry unless you intend to block everything with no exceptions.

Confusing inbound and outbound direction when applying an ACL to an interface.

Applying an ACL in the inbound direction filters traffic entering the interface. Applying it outbound filters traffic leaving the interface. If you apply an inbound ACL on the interface facing the internet, it filters traffic from the internet into your network. If you accidentally apply it outbound on the same interface, it filters traffic from your network going out to the internet, which does not protect against incoming attacks.

Always check the direction. For blocking external threats, apply the ACL inbound on the interface connected to the untrusted network (e.g., WAN). Use 'ip access-group ACL_NAME in' on Cisco devices.

Forgetting the implicit deny and assuming traffic is allowed if not matched.

Many beginners think that if a packet does not match any rule, it is allowed. In reality, the default behavior is to deny. This leads to unintended blocking of legitimate traffic that was not explicitly permitted.

Always include explicit permit rules for all traffic you want to allow. Test the ACL to ensure that necessary services are not blocked. Remember the implicit deny is your friend for security, but you must account for it.

Using a standard ACL when an extended ACL is needed.

Standard ACLs can only filter based on source IP address. They cannot filter by destination port or destination IP. For example, to allow only SSH traffic from a specific host to a server, you need an extended ACL that specifies the destination port (22). A standard ACL would allow all traffic from that host, which is too permissive.

Assess the filtering requirements. If you need to filter based on protocol or port numbers, use an extended ACL (numbered 100-199 or named). Use standard ACLs only for simple source-based filtering.

Not considering the stateless nature of ACLs when troubleshooting connectivity.

Stateless ACLs evaluate each packet independently. If you have an inbound rule allowing HTTP, the return packets from the internal server to the external client are also evaluated by the ACL. If the ACL only allows inbound HTTP but does not have a corresponding outbound rule (if applied outbound) or if the inbound rule does not consider the returning traffic, the response packets can be dropped. This is especially important in cloud NACLs.

Remember that stateless ACLs require both inbound and outbound rules for bidirectional communication. For a web server, you need an inbound rule allowing port 80 and an outbound rule allowing ephemeral ports (1024-65535) for the response traffic. In security groups (stateful), this is handled automatically.

Making an ACL too specific or too broad without proper planning.

Overly permissive ACLs (e.g., allowing all traffic from any source) defeat the purpose of security. Overly restrictive ACLs can break necessary services and cause user frustration. Both extremes create problems.

Follow the principle of least privilege. Only allow the minimum traffic required for business needs. Document the rules and review them periodically.

Forgetting to update the ACL when a trusted IP address changes.

Static IP addresses in ACL rules are common. If a remote worker's IP changes and you do not update the ACL, they will be denied access. This is a frequent operational issue.

Use dynamic DNS hostnames if possible, or implement VPN access with authentication instead of IP-based allow lists. For critical access, consider using a VPN that authenticates users rather than relying on static IPs.

Exam Trap — Don't Get Fooled

{"trap":"The exam presents a scenario where an ACL is applied inbound on the internal interface of a router to block traffic from a specific internal subnet. Learners often think this is correct for controlling internal traffic, but applying an ACL inbound on an internal interface will also block the router's ability to forward traffic from that subnet out to other networks, because the traffic enters the router through that internal interface.","why_learners_choose_it":"Learners focus on the word 'inbound' and think it only affects traffic coming into the internal network from outside.

They do not realize that 'inbound' applies to the interface, not the network. Traffic from a user on the internal network entering the router is 'inbound' on that internal interface.","how_to_avoid_it":"Always map the direction to the interface.

Ask: 'Is the traffic entering or leaving the interface?' Inbound means entering the device through that interface. Traffic from an internal user going to the internet enters the internal interface, so an inbound ACL there would filter it.

To block traffic from a subnet to the internet, apply an outbound ACL on the external interface or use a zone-based firewall. In exams, read the topology carefully."

Commonly Confused With

Inbound ACLvsOutbound ACL

An outbound ACL filters traffic that is leaving an interface, after the router has made a routing decision. An inbound ACL filters traffic when it first arrives on an interface, before routing. The placement determines what traffic is examined. Inbound ACLs affect traffic coming in from the network attached to that interface; outbound ACLs affect traffic going out to that network.

If you want to block internet users from accessing your web server, you apply an inbound ACL on the router's internet-facing interface. If you want to prevent internal users from accessing a specific external website, you apply an outbound ACL on the internet-facing interface.

Inbound ACLvsSecurity Group (AWS)

A security group is a stateful virtual firewall for an EC2 instance. It automatically allows return traffic for allowed inbound connections. An inbound ACL (specifically a Network ACL in AWS) is stateless and applied at the subnet level. Security groups support only allow rules, while NACLs support both allow and deny rules. Inbound ACLs in AWS (NACLs) require explicit outbound rules for response traffic.

You set a security group to allow inbound HTTP from 0.0.0.0/0. Return traffic is automatically allowed. With a NACL, you must also create an outbound rule allowing ephemeral ports to send HTTP responses back.

Inbound ACLvsFirewall Rule (NGFW)

A next-generation firewall rule is more advanced than a traditional inbound ACL. It can inspect application-layer data, use user identity, and integrate with threat intelligence. An inbound ACL is typically simpler, layer 3/4 packet filtering. Firewalls often use stateful inspection, whereas many ACLs (like Cisco standard/extended) are stateless.

An ACL can block TCP port 443, but a firewall rule can identify and block a specific application like Facebook even if it uses port 443.

Inbound ACLvsImplicit Deny

Implicit deny is not a separate term but a rule automatically added at the end of every ACL. It denies all traffic that does not match any explicit ACE. Learners often confuse this with having to explicitly add a deny all rule. The implicit deny is always there, you do not need to configure it. Adding an explicit deny all rule at the end is redundant but not harmful, except that it can be mistakenly placed earlier.

If you create an ACL with only one rule 'permit tcp any host 10.1.1.1 eq 80', traffic on port 80 is allowed, but SSH to that same host is denied by the implicit deny.

Inbound ACLvsRoute Map

A route map is used for policy-based routing or route redistribution, not for filtering packets. It can match conditions and set attributes, but it does not directly permit or deny individual packets like an ACL. ACLs are used for packet filtering, route maps for routing policy.

Use an ACL to block traffic from a specific IP. Use a route map to influence which path traffic takes to reach a destination.

Step-by-Step Breakdown

1

Define Security Requirements

First, determine which services should be accessible from external networks and which should be blocked. Identify the source IPs (if any are trusted) and the destination ports. Document the business needs, such as allowing web traffic but blocking FTP.

2

Choose ACL Type

Decide between standard ACL (source IP only) and extended ACL (source/dest IP, protocol, port). For most inbound filtering on a border router, an extended ACL is needed because you must specify destination ports. Standard ACLs are rarely used for inbound filtering due to lack of granularity.

3

Create the ACL Entries (ACEs)

Write the rules in the correct order. The most specific and frequently matched rules should be first. For example, place the permit rule for a specific remote administrator's IP before a broad deny rule. Each ACE includes an action (permit/deny), protocol (tcp, udp, ip), source, destination, and optional operator (eq, gt, lt) for ports.

4

Apply the ACL to the Interface in the Inbound Direction

On the device (e.g., Cisco router), enter interface configuration mode for the interface that faces the untrusted network (usually the WAN interface). Use the command 'ip access-group [ACL-name/number] in'. This instructs the device to examine every incoming packet on that interface against the ACL.

5

Test Connectivity

After applying the ACL, test that legitimate traffic (web requests, VPN connections) can still pass through. Also test that blocked traffic (e.g., SSH from an unauthorized source) is denied. Use tools like ping, telnet, or curl from external hosts. On Cisco, use 'show access-list' to see match counts.

6

Monitor and Adjust

Review the ACL logs and match counters regularly. If a legitimate service is being blocked, you may need to add or modify ACEs. If an attacker is probing, you might add a deny rule for their source IP. Adjust the order if necessary, but remember that editing an existing ACL can be risky; some platforms require removing and reapplying the entire ACL.

7

Document the ACL

Maintain documentation explaining the purpose of each rule, the date created, the author, and any exceptions. This is vital for troubleshooting and compliance audits. Without documentation, future administrators may not know why a rule exists, leading to accidental misconfiguration.

8

Consider Redundancy and Backup

Keep a backup of the ACL configuration. In case of device failure, the ACL configuration can be quickly restored. Also consider using a version control system for configuration files to track changes over time.

Inbound ACL Placement and Direction Logic

An inbound ACL (Access Control List) is a security filter applied to traffic entering a network interface. In Cisco IOS and many other routing platforms, the ACL is applied in the inbound direction, meaning it evaluates packets immediately as they arrive on the interface before any routing decision is made. This placement is critical for security because it allows the router to drop malicious or unwanted traffic before it can consume routing resources or reach internal hosts.

When an inbound ACL is configured on an interface, the router examines the source IP address, destination IP address, protocol, and port numbers against the ACEs (Access Control Entries) in sequential order. The first matching permit or deny statement determines the action. If no match is found, an implicit deny at the end blocks all remaining traffic. This implicit deny is a fundamental concept tested across A+, Network+, Security+, CCNA, and cloud certifications. Cloud providers like AWS, Azure, and GCP implement similar logic but with different names: security groups and network ACLs (NACLs).

Understanding the direction matters because an inbound ACL will not affect outbound traffic on the same interface. For example, if you apply an inbound ACL on a router’s external interface, it only filters traffic coming from the internet into your network. Traffic leaving the network (outbound) would need a separate outbound ACL. This distinction is often tested in CCNA and Network+ scenarios where candidates must decide whether to apply an inbound or outbound ACL based on the desired traffic flow. Another key point: when applying an ACL inbound, the source address is typically the external or untrusted side, and the destination is your internal network. This mirrors the common use case of blocking external hosts from accessing internal services unless explicitly permitted.

In cloud environments, AWS Network ACLs are stateless and require explicit inbound rules for every port and protocol, while security groups are stateful. Inbound ACLs on traditional routers are also stateless unless combined with stateful firewall features. For exam purposes, remember that an inbound ACL is applied before routing, so it cannot filter based on the outgoing interface. This is a common trick question in CCNA and Security+ exams. Inbound ACLs can be used for traffic classification, quality of service marking, or logging, but the primary purpose is security filtering. Proper placement of an inbound ACL at the edge of the network is a best practice to minimize attack surface and reduce unnecessary processing of unwanted traffic.

Sequential Evaluation and ACE Ordering in Inbound ACLs

One of the most critical aspects of inbound ACL configuration is understanding that ACEs are evaluated in sequential order from top to bottom. The first match triggers an immediate action (permit or deny), and no further lines are processed. This sequential nature has profound implications for security and performance, and it is heavily tested in CCNA, Network+, and Security+ exams.

Because evaluation stops at the first match, the order of rules determines which traffic is allowed or blocked. Placing a broad permit statement before a more specific deny rule can inadvertently allow unwanted traffic. For instance, if you have an inbound ACL on a router interface intended to block SSH from a specific host but permit all other traffic, you must place the deny statement for that host before the permit any statement. Otherwise, the packet will match the permit any and never reach the deny rule. This is a classic exam scenario: candidates must recognize that the implicit deny at the end will block all traffic unless there is an explicit permit somewhere. The explicit permit any at the end is common in practice but it reduces security.

Another key concept is the importance of inserting new ACEs at the correct position. In Cisco IOS, ACL lines are numbered or can be edited with sequence numbers. If you add a new rule at the end, it will be evaluated after existing rules. For inbound ACLs, this can be dangerous if the new rule is meant to block a specific threat that might already be permitted by a higher-up rule. Cloud platforms like AWS allow rule numbers to determine priority, with lower numbers evaluated first. In AWS NACLs, rules are evaluated in ascending order by rule number, and the first matching rule determines the outcome. This is analogous to Cisco ACL ordering.

Exams also test the concept of wildcard masks in inbound ACLs. A wildcard mask (inverse subnet mask) is used to match a range of IP addresses. For example, 0.0.0.0 matches all hosts, while 0.0.0.255 matches the last octet. Misconfiguring wildcard masks is a common source of firewall errors. For inbound ACLs, the source address is often specified with a wildcard mask to match external networks. Another exam point: the implicit deny at the end of an ACL is always present even if you don’t see it in the running config. This is why a single permit statement with no explicit permit any will block all other traffic. Understanding this helps troubleshoot connectivity issues after applying an inbound ACL. Logging can be enabled on ACEs to track matches, which is useful for monitoring attacks. The log keyword causes the router to generate a log message for each packet matching that entry. This is a feature that appears in Security+ and CCNA scenario questions.

Common Misconfigurations in Inbound ACLs

Misconfiguring an inbound ACL can lead to either security breaches or complete loss of connectivity. The most frequent mistake is applying the ACL to the wrong interface or direction. For example, applying an inbound ACL that is intended to block external traffic to the internal interface instead of the external interface will have no effect on incoming traffic from the internet-it will only filter traffic entering the internal network from the LAN side. This is a scenario that appears in Network+ and Security+ exams where a technician locks themselves out because they applied the ACL to the wrong interface.

Another common error is forgetting the implicit deny. Many administrators create an inbound ACL with only permit statements for desired services, assuming that all other traffic will be implicitly blocked. While that is technically correct, they often forget to add an explicit deny or permit for management protocols like SSH or SNMP. If the ACL does not include a permit for the administrator’s IP address, the router will block management traffic arriving on that interface. This is a classic cause of being locked out of a remote router-a frequent troubleshooting scenario in CCNA and Azure AZ-104 exams.

Wildcard mask errors are also prevalent. For instance, using a subnet mask instead of a wildcard mask, or miscomputing the wildcard mask to match a specific range. In Cisco IOS, the wildcard mask is the inverse of the subnet mask. For a /24 network, the wildcard mask is 0.0.0.255. Using 255.255.255.0 as a wildcard mask would match no hosts because the bits would need to be inverted incorrectly. This leads to rules that never match, causing traffic to fall through to the implicit deny. Another misconfiguration is placing too many ACEs in a single ACL, which can degrade router performance due to excessive CPU cycles needed to evaluate each packet sequentially.

In cloud environments like AWS, a common misconfiguration is setting inbound NACL rules to allow all traffic from 0.0.0.0/0 but forgetting to also allow ephemeral ports for return traffic, causing connectivity issues. Even though NACLs are stateless, many engineers treat them like stateful security groups. Mixing permit and deny rules in a way that contradicts the security policy is common. For example, denying inbound SSH from a specific IP range but permitting all other IPs-the order must be correct. Exams test this by presenting a list of ACEs and asking which traffic will be blocked or permitted. Another misconfiguration is using the wrong protocol or port number. For instance, using TCP port 443 for HTTPS but the application uses UDP, or vice versa. This is especially relevant for Security+ and AWS SAA exams where protocols like ICMP are often forgotten.

Inbound ACL in Cloud: NACLs vs Security Groups

In cloud computing, inbound ACLs manifest primarily as Network Access Control Lists (NACLs) in AWS, and similar constructs in Azure and GCP. Understanding the distinction between NACLs and security groups is essential for AWS SAA, Azure AZ-104, and Google ACE certifications. NACLs are stateless, meaning they evaluate each packet individually and do not track connection state. This contrasts with security groups, which are stateful-if an outbound traffic is allowed, the return inbound traffic is automatically permitted regardless of inbound rules.

When configuring an inbound NACL in AWS, you must explicitly allow both inbound and outbound rules for traffic to flow correctly. A common exam scenario: a web server is deployed behind an application load balancer. The inbound NACL must allow HTTP/HTTPS traffic from the load balancer's source IP or 0.0.0.0/0, but also the ephemeral ports for return traffic from the load balancer to the server. Many engineers forget to add the ephemeral range (1024-65535) to both inbound and outbound rules, leading to intermittent connectivity. This is a classic AWS SAA question.

In Azure, similar functionality is provided by Network Security Groups (NSGs), which are also stateless or stateful depending on configuration. NSGs can be applied to subnets or network interfaces. For inbound rules, they evaluate traffic based on source IP, destination IP, protocol, and port. The priority of rules determines order-lower numbers are evaluated first. Azure AZ-104 exams often ask about NSG priorities and the inability to deny all traffic using a high-priority rule if a lower-priority rule allows it. GCP firewall rules are also stateful by default but can be configured for ingress (inbound) and egress with priority.

Another critical cloud-specific concept is that NACLs operate at the subnet level, while security groups operate at the instance level. Therefore, an inbound ACL in the form of a NACL can filter traffic before it reaches the instance-level security group. This layered security is a best practice and is tested in all cloud exams. For example, you might have an inbound NACL that blocks all traffic from a specific country’s IP range, while the security group permits HTTP only from a specific source. The ACL evaluation happens first, so the blocked IP never reaches the security group.

For exam preparation, remember that NACLs support allow and deny rules, whereas security groups only support allow rules. This means you can explicitly deny specific IPs using NACLs but not with security groups (unless you use a complicated workaround). This is a high-yield exam point. Also, NACLs are automatically created for every VPC with default rules that allow all inbound and outbound traffic. Changing these defaults is a common step in securing a VPC. Finally, the maximum number of rules per NACL is 20 per direction (inbound/outbound) by default, but can be increased. Understanding these limits helps avoid configuration failures.

Troubleshooting Clues

Locked out of router after applying inbound ACL

Symptom: Administrator cannot SSH or Telnet to the router after applying an inbound ACL to the interface used for management.

The inbound ACL did not include an explicit permit for the administrator's management IP address or for TCP ports 22/23. Because of the implicit deny at the end, all management traffic is blocked.

Exam clue: Exam questions present this scenario and ask to identify that the ACL is missing a permit for the management host. The fix is to add a permit statement before applying the ACL or use a console connection.

ACL not blocking intended traffic

Symptom: Traffic from a blacklisted IP range still reaches internal servers even though an inbound ACL is applied.

The deny statement for that IP range is placed after a permit statement that matches the traffic first. The ACL is evaluated sequentially, so the permit matches and the deny is never reached.

Exam clue: Classic exam trap: given a list of ACEs, identify that the order is wrong. Correct order places more specific denies before broader permits.

Traffic allowed despite explicit deny rule

Symptom: A specific source IP is denied in the ACL, but traffic still passes through.

The ACL might be applied to the wrong interface or direction. For inbound traffic, the ACL must be applied 'in' on the interface where the traffic enters. Alternatively, there may be another ACL on a different interface that permits the traffic.

Exam clue: Network+ and CCNA exams often ask: 'On which interface and direction should you apply the ACL to block traffic from the internet?' The correct answer is the external interface inbound.

Intermittent connectivity to web servers behind an AWS NACL

Symptom: HTTP/HTTPS traffic works initially but then fails after a few seconds, or only some requests succeed.

The inbound NACL allows port 80/443 but the outbound NACL (for return traffic) does not allow ephemeral ports (1024-65535). Since NACLs are stateless, return packets are dropped if outbound rules do not allow the ephemeral source ports.

Exam clue: AWS SAA exam commonly tests this: the fix is to add an outbound rule for ephemeral ports to any destination. The symptom is described as 'intermittent connectivity'.

High CPU usage on router after applying inbound ACL

Symptom: Router CPU spikes to 100% after applying a large ACL with hundreds of ACEs to an inbound interface.

Each packet is evaluated sequentially against many ACEs. With high traffic volumes, the router must process many lookups, consuming CPU cycles.

Exam clue: CCNA and Security+ mention that large ACLs degrade performance. The solution is to use a more specific ACL, reduce the number of ACEs, or use hardware-based ACLs if available.

ACL not applied to all subnets in a VPC

Symptom: Some subnets are protected by the inbound NACL but others are not. Attackers access resources in unprotected subnets.

NACLs are associated with specific subnets. If the NACL is not associated with all subnets, those subnets use the default NACL which allows all inbound traffic.

Exam clue: AWS SAA asks: 'Why is traffic allowed to a subnet even though a restrictive NACL exists?' Answer: The NACL is not associated with that subnet. Always check subnet associations.

Incorrect wildcard mask causing ACL to block all traffic

Symptom: After applying an inbound ACL, no traffic passes, even from legitimate hosts.

The wildcard mask was misconfigured, e.g., using 255.255.255.0 instead of 0.0.0.255. This causes the ACL to match no addresses, so all packets fall to the implicit deny and are dropped.

Exam clue: This is a typical 'why is everything blocked' question. Candidates must calculate the correct wildcard mask. The fix is to correct the mask or use a specific host IP.

Log messages show hits on deny rule but traffic still reaches destination

Symptom: The ACL hit count increments on a deny rule, yet the destination server receives the traffic.

The ACL might be applied to a different interface than the traffic path. The traffic might be entering through a different interface or VLAN where there is no ACL. Or the destination is on the same subnet and does not cross the router interface.

Exam clue: Exam scenario: a deny rule matches on one interface but traffic still gets through. This indicates there is another path or the ACL is on the wrong interface.

Learn This Topic Fully

This glossary page explains what Inbound ACL means. For a complete lesson with labs and practice, see the topic guide.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Related Glossary Terms

Quick Knowledge Check

1.An administrator applies the following ACL inbound on a router's external interface: access-list 101 deny tcp any any eq 23 access-list 101 permit ip any any Which statement is true?

2.A network engineer configures an inbound NACL in AWS to allow HTTP (port 80) from 0.0.0.0/0. Users report intermittent connectivity to the web server. What is the most likely cause?

3.Which of the following wildcard masks should be used in an ACL to match the entire 192.168.1.0/24 subnet?

4.An administrator is locked out of a router after applying the following inbound ACL to the management interface: access-list 120 permit tcp any any eq 22 What is the most likely reason?

5.In an AWS VPC, which of the following correctly describes the difference between a Network ACL and a security group?