# Mastering ACLs in Netmaker ![](/files/283ed9d2bb40c73adc4cecad1f3d03f02c704baa) When you first spin up a network in Netmaker every node can reach every other node. That “full mesh” is great for a lab, but it is too trusting for production. A single mis-configured service can expose the whole overlay. That is where Access Control Lists (ACLs) step in. The ACL engine lets you decide — at packet speed — who may talk to whom, without touching raw [WireGuard](https://www.wireguard.com/) configs. In this guide you will learn how the pieces fit together and how to move from an open mesh to a network that shares only what it must. {% hint style="info" %} Fortify Your Network Security Sign up for a 2-week free trial and experience seamless remote access for easy setup and full control with Netmaker. [Get Started Free](https://account.netmaker.io/signup) [Browse Solutions](https://www.netmaker.io/solutions/remote-access) {% endhint %} *** ## The core idea: allow what you need, deny the rest The ACL screen in the [Netmaker Admin UI](https://learn.netmaker.io/features/acls-access-controls) shows every pair of peers as a switch you can flip. Behind the UI, Netmaker writes new peer sections into each node’s WireGuard interface, then distributes them over MQTT, so changes reach the edge in seconds. Because ACLs apply on every host, they work even when routes change or relays hide the real endpoint. ![](/files/1589bf1ebcb5d5403e9861e8a672dceeb7759863) *** ## Two policy types, one goal If you use Netmaker Pro you also get the [new ACL engine](https://learn.netmaker.io/features/acls-access-controls). It adds **user policies** (what a person can touch) and **resource policies** (what a device can reach). Think of user policies as badges at the door and resource policies as locks between rooms. The split lets you grant a DevOps engineer SSH to a database without opening the database to every VM in the subnet. *** ## Default rules that save you from yourself Every fresh network ships with four default rules - All Nodes, All Users, All Remote Access Gateways and Network Admin - so the mesh is usable before you start hardening it. Delete or disable those rules the moment you are ready to shape traffic. On top of network-wide defaults, each node carries its own **node-level default**. Set a sensitive server to “deny” and it will ignore unsolicited peers even if the network default is “allow”. Flip the logic for a jump-box: mark it “allow” in an otherwise locked-down network and every laptop can route through it. ![](/files/e454809e9d931efb5cab6048c7a9f8f32098c011) *** ## A first rule in practice Suppose you have created a network in the [setup wizard](https://docs.netmaker.io/docs/netmaker-network-setup-concepts/1-create-networks) and installed [netclient](https://docs.netmaker.io/docs/client-installation/netclient) on two VMs. You want the app server to reach the database, but nothing else to talk to the database. In the ACL tab pick the app server as source and the database as destination, click **Enable**, and save. Netmaker pushes an update; seconds later the app works, a ping from anywhere else times out. Prefer the command line? `nmctl acl allow mynet app-id db-id` does the same thing. The CLI is handy for CI pipelines or when the UI is behind a jump host. *** ## Taming scale with tags Manually listing every node pair gets old fast. Tags fix that. With [tag management](https://docs.netmaker.io/docs/features/tag-management-pro) you label nodes “prod”, “dev”, or “web-tier” during enrollment, then write a single rule that says “prod ↔ db” and never touch it again. Tags travel with the node, so a container rebuilt by your orchestrator inherits its old privileges the moment it rejoins the mesh. ![](/files/e941664919833a4d9a963a8df82ed70fa7822348) *** ## Gateways, relays and ACLs Mesh networking is rarely flat. A host behind carrier-grade NAT may need a [relay server](https://docs.netmaker.io/docs/features/relay-servers-pro); road warriors will pass through an [internet gateway](https://docs.netmaker.io/docs/features/internet-gateways-pro). ACLs sit above all that plumbing. Whether traffic is direct, relayed or full-tunnelled, the kernel still checks the peer list generated by the ACL engine before a byte crosses the interface. *** ## Observe and iterate Good policies start simple and tighten over time. Netmaker Pro gives you [traffic analytics](https://docs.netmaker.io/docs/features/analytics-pro) so you can watch which peers actually exchange data. Drop an unused rule and confirm that bytes stop flowing; if an alert fires, re-enable with one click. *** ## Automate everything Policies live in the server database, so you can script them. The [REST API](https://docs.netmaker.io/api) exposes every ACL endpoint. Check your rules into Git, lint them in CI, then call the API from your deploy job. For local experiments, the [nmctl](https://docs.netmaker.io/docs/client-installation/advanced-netclient-installation) binary is enough. *** ## Bring people on board safely Before you invite colleagues, review [user roles](https://docs.netmaker.io/docs/features/user-management-pro) and the [grant-access guide](https://docs.netmaker.io/docs/operations-guide/granting-access-to-your-vpn). Give admins the keys to the ACL page; give regular users a Remote Access Gateway that is already fenced off. If you need extra isolation, create a second network as shown in the [network setup overview](https://docs.netmaker.io/docs/netmaker-network-setup-concepts/0-overview) and keep production apart from staging. *** ## Next steps * Try the [full-mesh tutorial](https://learn.netmaker.io/how-to-guides/how-to-setup-a-full-mesh-site-to-site-vpn-with-netmaker) to see ACLs in a multi-site scenario. * Browse the complete [features list](https://learn.netmaker.io/features) to learn what else you can layer on top. * Pull the [Netmaker source](https://github.com/gravitl/netmaker) or the [netclient source](https://github.com/gravitl/netclient) if you want to audit the code that writes your rules. * When you are ready for production support, start a [free trial](https://account.netmaker.io/signup). ACLs do not add complexity; they remove uncertainty. Start with one rule, watch the effect, and keep going until every packet has a purpose. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://learn.netmaker.io/how-to-guides/mastering-acls-in-netmaker.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.