As the requirements on network configurations increases, so does the potential for security breaches and outages.Cloud-based networks simplify the task of network configuration, but network engineers still must manually configure an appropriate access-control policy, using the same low-level configurations as in physical networks.Small errors or omissions in these access-control lists can violate critical security and availability requirements.We propose proactive, exhaustive validation of access-control configurations for cloud networks.Unlike network testing or monitoring, such validation occurs offline, before the configurations are installed in a live network, and validation is complete, reasoning about all possible packets to ensure that the network provably meets its intended policy.This work leverages and extends Intentionet's Sage technology for proactive network configuration validation, originally developed by leading researchers and now in use at Fortune 500 companies.The result is a fundamentally new set of capabilities for the network engineer and operator.Engineers can validate the correctness of both new networks and configuration updates to existing networks offline and then rapidly deploy with confidence.They can also validate ``what-if'' scenarios in advance, for example to ensure that an attack response plan or disaster recovery plan will provably meet necessary security requirements.cloud networks,access control,network security,network availability,network configuration validation