diff --git a/builder/cloudstack/config.go b/builder/cloudstack/config.go
index 7a617c6cd..b0c338272 100644
--- a/builder/cloudstack/config.go
+++ b/builder/cloudstack/config.go
@@ -40,6 +40,8 @@ type Config struct {
 	PublicIPAddress      string   `mapstructure:"public_ip_address"`
 	SecurityGroups       []string `mapstructure:"security_groups"`
 	ServiceOffering      string   `mapstructure:"service_offering"`
+	CreateNetworkACL     bool     `mapstructure:"create_network_acl"`
+	CreateFirewallRule   bool     `mapstructure:"create_firewall_rule"`
 	SourceISO            string   `mapstructure:"source_iso"`
 	SourceTemplate       string   `mapstructure:"source_template"`
 	TemporaryKeypairName string   `mapstructure:"temporary_keypair_name"`
diff --git a/builder/cloudstack/step_configure_networking.go b/builder/cloudstack/step_configure_networking.go
index 4dba63ef7..ccda39107 100644
--- a/builder/cloudstack/step_configure_networking.go
+++ b/builder/cloudstack/step_configure_networking.go
@@ -117,7 +117,7 @@ func (s *stepSetupNetworking) Run(_ context.Context, state multistep.StateBag) m
 	// Store the port forward ID.
 	state.Put("port_forward_id", forward.Id)
 
-	if network.Vpcid != "" {
+	if network.Vpcid != "" && config.CreateNetworkACL {
 		ui.Message("Creating network ACL rule...")
 
 		if network.Aclid == "" {
@@ -149,7 +149,7 @@ func (s *stepSetupNetworking) Run(_ context.Context, state multistep.StateBag) m
 
 		// Store the network ACL rule ID.
 		state.Put("network_acl_rule_id", aclRule.Id)
-	} else {
+	} else if config.CreateFirewallRule {
 		ui.Message("Creating firewall rule...")
 
 		// Create a new parameter struct.