Required Network ACL outbound rules with no 0.0.0.0/0

Would you please clarify what you are trying to accomplish. You mentioned not being able to use DNS names in NACLs, which is correct, but also that your solution was to use ALB IP ranges.

If you're trying to restrict access to your EC2 instance from your ALB residing in the same VPC? If so, the correct solution is to create one security group for the ALB and a second security group for the EC2 instance.

In the inbound/ingress rules of the ALB, you should allow access to the listener port(s) of the ALB (such as tcp/443 and tcp/80) from the public internet (0.0.0.0/0) or a more specific range, such as your on-premises corporate network's IP range, and in the outbound/egress rules of the ALB's security group, you allow the relevant target port (such as tcp/443 or tcp/8080) towards the security group of the EC2 instance.

In the inbound/ingress rules of the security group of the EC2 instance, you should allow the ports that the ALB uses to connect to the server (such as tcp/443 or tcp/8080) from the ALB's security group and not from 0.0.0.0/0 or any other IP CIDR. In the outbound/egress rules of the EC2 instance, you would typically allow all traffic to 0.0.0.0/0, or at least tcp/443, udp/443, and tcp/80, so that at least basic HTTPS connections would work, unless you have a proxy server or similar middlebox solution through which outbound internet access is arranged.

Security groups process traffic in a stateful manner, so you do not need to permit any outbound rules to allow return traffic in the outbound direction for connections that have been permitted in the inbound direction by the security group rules. You should, however, allow ICMP type 3 (all codes) traffic in the inbound direction explicitly from all potential client and intermediate router networks, so that "fragmentation needed" and other essential control messages reach the ALB. Such messages are typically sent by intermediate network devices and not the final client or server device, and that's why they usually are best to allow from all potential networks, such as 0.0.0.0/0 for an internet-facing ALB.

NACLs aren't needed to control access, when the appropriate controls are enforced in security group rules.

I need clarification on whether this is an outbound or inbound traffic scenario. Your subject line mentions outbound traffic, but all the services you've discussed (ALB, NLB, CloudFront, etc.) are typically used for inbound traffic management.

If this is for outbound traffic:

• The provided answers would be appropriate
• A reverse proxy would be recommended if you need to restrict by DNS names

If this is for inbound traffic:

• AWS WAF provides a much more elegant and manageable solution for controlling access to your Application Load Balancer (ALB).

AWS WAF operates at the application layer and integrates natively with Application Load Balancers, allowing you to create sophisticated rules based on IP addresses, geographic locations, request patterns, and other criteria without the limitations imposed by network-level access control lists. This approach eliminates the need to track and update dynamic ALB IP ranges while maintaining strict compliance with your security requirements.

Architectural Benefits with Load Balancing When implementing WAF with your ALB architecture, you'll benefit from AWS's recommended approach of using Elastic Load Balancing to distribute traffic across multiple EC2 instances in multiple AZs, which improves availability and scalability while reducing the risk of overloading any single instance. This multi-AZ deployment strategy, combined with WAF's traffic filtering capabilities, provides both security compliance and operational resilience.

Capacity Management Considerations For predictable performance during traffic spikes, consider that Elastic Load Balancing has a starting point for its initial capacity and scales up or down based on traffic. If you anticipate sudden traffic increases, AWS recommends configuring traffic to increase at no more than 50 percent over a five-minute interval, using either a stair-step approach or gradual curve.

For customers requiring guaranteed minimum capacity, AWS offers Provisioned Capacity, which enables you to configure a minimum Load Balancer Capacity Unit (LCU) for your ALB via the ELB API. This feature allows you to set a capacity floor in LCUs for your load balancer, ensuring it won't scale under the configured size regardless of usage.

Implementation Strategy Combining WAF with your existing ALB infrastructure provides the security control you need without the operational complexity of NACL management. WAF rules can be updated dynamically through APIs or the console, making it much easier to maintain than static NACL entries that require manual updates when ALB IP ranges change.

This approach aligns with AWS best practices for both security and scalability, providing a production-ready solution that meets your security guidelines while maintaining operational simplicity and supporting your application's growth requirements.