Issue resolved.
It turned out the problem of precedence was not directly due to the Network ACL configuration but instead the configuration of network (in terms of subnet arrangement) as well as the need to set up the Web Server and Compute Headnode to perform NAT between the different subnets.
With regards to the subnet arrangement it would seem, from closer inspection of the AWS documentation, that one has to set up such a network as follows:
- Subnet 1: For the external connection to the Web Server (in my case 10.0.1.0/24). This subnet was configured to route 0.0.0.0/0 to an internet gateway.
- Subnet 2: For the machines not directly connected to an external connection, excluding worker nodes (in my case 10.0.2.0/24). This subnet was configured to route 0.0.0.0/0 to a secondary network interface on the Web Server (within the subnet). The Web Server then was configured to perform NAT between it's 10.0.2.0/24 and 10.0.1.0/24 interfaces.
- Subnet 3: For the worker nodes only (in my case 10.0.30/24). This subnet was configured to route 0.0.0.0/0 to a secondary network interface on the Compute Headnode. The Compute Headnode was then configured to perform NAT between it's 10.0.3.0/24 and 10.0.2.0/24 interfaces.
I was then able to restrict traffic between these subnets to enforce the NAT hierarchy as follows using the Network ACLs for both incoming and outgoing data:
- Subnet 1:
90 ALL Traffic ALL ALL 10.0.2.0/24 DENY
,91 ALL Traffic ALL ALL 10.0.3.0/24 DENY
and100 ALL Traffic ALL ALL 0.0.0.0/0
- Subnet 2:
90 ALL Traffic ALL ALL 10.0.1.0/24 DENY
,91 ALL Traffic ALL ALL 10.0.3.0/24 DENY
and100 ALL Traffic ALL ALL 0.0.0.0/0
- Subnet 3:
90 ALL Traffic ALL ALL 10.0.1.0/24 DENY
,91 ALL Traffic ALL ALL 10.0.2.0/24 DENY
and100 ALL Traffic ALL ALL 0.0.0.0/0
As I wanted to use FreeBSD rather than Linux for my EC2s I had quite a few headaches getting the required NAT instances setup.
I eventually found a very helpful guide to doing this in the November 2012 issue of FreeBSD Magazine. Whilst some of the configuration steps in this were no longer required for the latest FreeBSD AMIs detailed on Daemonology.net, the basic configuration steps haven't changed since publication.
I imagine anyone looking to do something similar using Linux AMIs for NAT would find the process a little easier but as I've not tried I can't say for sure.
Anyway, I hope this helps with anyone having similar issues.