Network Access Control Lists (NACLs)
Network Access Control Lists (NACLs) are stateless, virtual firewalls that control both inbound and outbound traffic at the subnet level within an Amazon VPC. NACLs have separate inbound and outbound rules, and all traffic must be explicitly allowed through the rules. Each rule in a NACL includes a rule number, an action (allow or deny), a protocol, a port range, and a source or destination IP address or CIDR block. Rules are evaluated in the order based on the rule number, and the first matched rule is applied, while the rest are ignored. By default, each VPC comes with a default NACL allowing all inbound and outbound traffic. NACLs serve as an additional layer of security and can be used in conjunction with security groups to enforce strict network security in your VPC environment.
Guide on Network Access Control Lists (NACLs)
What is Network Access Control List (NACL)?
A Network Access Control List (NACL) is an optional layer of security in Amazon VPC that acts as a firewall controlling traffic in and out of one or many subnets.
Why is it important?
It is important because it provides rule-based control of network traffic at the subnet level, helping to establish a secure and private connection between AWS resources and your network.
How does it work?
A NACL contains a numbered list of rules that AWS processes in order, starting with the lowest numbered rule, to determine whether traffic is allowed in or out of any subnet associated with the NACL. The rules control both inbound and outbound traffic, and each NACL has separate rule sets for each.
Exam Tips: Answering Questions on Network Access Control Lists (NACLs)
1. Remember that NACLs operate at the subnet level and provide a rule-based system for controlling network traffic.
2. Understand that the lowest numbered rule is processed first and rules are evaluated until a match is found.
3. Be able to differentiate between stateful and stateless. NACLs are stateless, meaning they do not retain information about the traffic. If you have inbound rule allowing traffic, you need to have corresponding outbound rule to allow response traffic.
4. Be aware that by default, AWS creates a NACL that allows all inbound and outbound traffic. You can customise the NACL by adding rules or modifying existing ones.
Go Premium
AWS Certified Solutions Architect - Associate Preparation Package (2024)
- 2203 Superior-grade AWS Certified Solutions Architect - Associate practice questions.
- Accelerated Mastery: Deep dive into critical topics to fast-track your mastery.
- Unlock Effortless AWS Certified Solutions Architect preparation: 5 full exams.
- 100% Satisfaction Guaranteed: Full refund with no questions if unsatisfied.
- Bonus: If you upgrade now you get upgraded access to all courses
- Risk-Free Decision: Start with a 7-day free trial - get premium features at no cost!