---
title: Network ACLs should enforce outbound traffic restrictions
description: Datadog, the leading service for cloud-scale monitoring.
breadcrumbs: >-
  Docs > Datadog Security > OOTB Rules > Network ACLs should enforce outbound
  traffic restrictions
---

# Network ACLs should enforce outbound traffic restrictions
 
## Description{% #description %}

Investigate AWS Network Access Control Lists (NACLs) for rules that utilize multiple ports and limit outbound traffic access to a specific port range.

## Rationale{% #rationale %}

Eliminate the threat of unauthorized access by setting a specified port range.

## Remediation{% #remediation %}

### From the console{% #from-the-console %}

Follow the [Adding and deleting rules](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#Rules) docs to limit ingress traffic access based on port range.

### From the command line{% #from-the-command-line %}

1. Run `replace-network-acl-entry` to create a rule that sets a specific port range for egress traffic.

In the `replace-network-acl-entry.sh` file:

   ```bash
       aws ec2 replace-network-acl-entry
           --network-acl-id id-01234567
           --egress
           --rule-number 02
           --protocol tcp
           --port-range From=000,To=000
           --rule-action allow
       
```