Network Access Control Lists (NACLs) are stateless, virtual firewalls that control both inbound and outbound traffic at the subnet level within an Amazon VPC. NACLs have separate inbound and outbound rules, and all traffic must be explicitly allowed through the rules. Each rule in a NACL includes a…Network Access Control Lists (NACLs) are stateless, virtual firewalls that control both inbound and outbound traffic at the subnet level within an Amazon VPC. NACLs have separate inbound and outbound rules, and all traffic must be explicitly allowed through the rules. Each rule in a NACL includes a rule number, an action (allow or deny), a protocol, a port range, and a source or destination IP address or CIDR block. Rules are evaluated in the order based on the rule number, and the first matched rule is applied, while the rest are ignored. By default, each VPC comes with a default NACL allowing all inbound and outbound traffic. NACLs serve as an additional layer of security and can be used in conjunction with security groups to enforce strict network security in your VPC environment.
Guide on Network Access Control Lists (NACLs)
What is Network Access Control List (NACL)? A Network Access Control List (NACL) is an optional layer of security in Amazon VPC that acts as a firewall controlling traffic in and out of one or many subnets.
Why is it important? It is important because it provides rule-based control of network traffic at the subnet level, helping to establish a secure and private connection between AWS resources and your network.
How does it work? A NACL contains a numbered list of rules that AWS processes in order, starting with the lowest numbered rule, to determine whether traffic is allowed in or out of any subnet associated with the NACL. The rules control both inbound and outbound traffic, and each NACL has separate rule sets for each.
Exam Tips: Answering Questions on Network Access Control Lists (NACLs) 1. Remember that NACLs operate at the subnet level and provide a rule-based system for controlling network traffic. 2. Understand that the lowest numbered rule is processed first and rules are evaluated until a match is found. 3. Be able to differentiate between stateful and stateless. NACLs are stateless, meaning they do not retain information about the traffic. If you have inbound rule allowing traffic, you need to have corresponding outbound rule to allow response traffic. 4. Be aware that by default, AWS creates a NACL that allows all inbound and outbound traffic. You can customise the NACL by adding rules or modifying existing ones.
AWS Certified Solutions Architect - Network Access Control Lists (NACLs) Example Questions
Test your knowledge of Network Access Control Lists (NACLs)
Question 1
You need to allow HTTPS access to an EC2 instance in an AWS VPC. What should be the configuration of the relevant inbound NACL rule?
Question 2
An EC2 instance in a public subnet has a public IPv4 address, the route table sends 0.0.0.0/0 to an internet gateway, and the security group allows TCP 80/443 from 0.0.0.0/0. Connections from the internet still time out. Focusing only on the network ACL, which misconfiguration would most likely cause the instance to be unreachable?
Question 3
An application is experiencing intermittent connectivity issues, and you suspect the NACL configuration is causing the problem. What should you check in the NACL rules?
🎓 Unlock Premium Access
AWS Certified Solutions Architect - Associate + ALL Certifications
🎓 Access to ALL Certifications: Study for any certification on our platform with one subscription
5645 Superior-grade AWS Certified Solutions Architect - Associate practice questions
Unlimited practice tests across all certifications
Detailed explanations for every question
AWS Certified Solutions Architect: 5 full exams plus all other certification exams
100% Satisfaction Guaranteed: Full refund if unsatisfied
Risk-Free: 7-day free trial with all premium features!