Network Access Control Lists (NACLs) are a fundamental security layer in Amazon VPC that act as a stateless firewall controlling traffic at the subnet level. Unlike Security Groups that operate at the instance level, NACLs provide an additional layer of defense for your entire subnet.
Key characte…Network Access Control Lists (NACLs) are a fundamental security layer in Amazon VPC that act as a stateless firewall controlling traffic at the subnet level. Unlike Security Groups that operate at the instance level, NACLs provide an additional layer of defense for your entire subnet.
Key characteristics of NACLs include:
**Stateless Nature**: NACLs evaluate both inbound and outbound traffic separately. If you allow inbound traffic on port 80, you must explicitly allow the corresponding outbound traffic for responses. This differs from Security Groups, which are stateful.
**Rule Evaluation**: Rules are evaluated in numerical order, starting from the lowest number. Once a rule matches traffic, it is applied, and subsequent rules are not evaluated. Best practice suggests numbering rules in increments (e.g., 100, 200, 300) to allow for future insertions.
**Default NACL**: Each VPC comes with a default NACL that allows all inbound and outbound traffic. Custom NACLs deny all traffic by default until rules are added.
**Rule Components**: Each rule specifies a rule number, protocol, port range, source/destination CIDR, and whether to allow or deny traffic.
**Association**: A subnet can only be associated with one NACL at a time, but a single NACL can be associated with multiple subnets.
**Use Cases**: NACLs are ideal for blocking specific IP addresses or ranges at the subnet level, implementing broad network policies, and adding defense-in-depth alongside Security Groups.
**Best Practices**: Use NACLs in conjunction with Security Groups for layered security. Keep rules simple and well-documented. Remember to account for ephemeral ports (typically 1024-65535) when configuring outbound rules for return traffic.
For the SysOps exam, understand the differences between NACLs and Security Groups, and know how to troubleshoot connectivity issues related to NACL configurations.
Network Access Control Lists (NACLs) are an optional layer of security for your Amazon VPC that acts as a firewall for controlling traffic in and out of one or more subnets. They operate at the subnet level and provide stateless filtering of network traffic.
Why are Network ACLs Important?
Network ACLs are crucial for several reasons:
• Defense in Depth: They provide an additional layer of security beyond Security Groups • Subnet-Level Protection: They protect all resources within a subnet simultaneously • Explicit Deny Capability: Unlike Security Groups, NACLs can explicitly deny specific traffic • Compliance Requirements: Many compliance frameworks require multiple layers of network security
How Network ACLs Work
Key Characteristics:
• Stateless: Return traffic must be explicitly allowed by rules (both inbound AND outbound rules required) • Rule Evaluation: Rules are evaluated in order, starting with the lowest numbered rule • Rule Numbers: Range from 1 to 32766; lower numbers have higher priority • Default NACL: Allows all inbound and outbound traffic by default • Custom NACL: Denies all inbound and outbound traffic by default until rules are added • Association: Each subnet must be associated with exactly one NACL; a NACL can be associated with multiple subnets
Rule Components:
• Rule number (priority) • Protocol (TCP, UDP, ICMP, etc.) • Port range • Source/Destination CIDR • Allow or Deny action
Network ACLs vs Security Groups
Network ACLs: • Operate at subnet level • Stateless (return traffic must be allowed) • Support allow AND deny rules • Rules processed in numerical order • Applies to all instances in the subnet
Security Groups: • Operate at instance level • Stateful (return traffic automatically allowed) • Support allow rules only • All rules evaluated before decision • Must be explicitly associated with instances
These ports must be allowed in outbound rules for responses to reach clients.
Exam Tips: Answering Questions on Network ACLs
Remember These Key Points:
1. Stateless Nature: If a question mentions that return traffic is being blocked, think NACL outbound rules. Both inbound AND outbound rules are required for successful communication.
2. Rule Order Matters: Lower rule numbers are evaluated first. If rule 100 allows traffic but rule 50 denies it, the traffic will be denied.
3. Default Behaviors: • Default NACL = allows all traffic • Custom NACL = denies all traffic
4. Subnet Association: One subnet can only have one NACL at a time, but one NACL can cover multiple subnets.
5. Blocking Specific IPs: When asked about blocking a specific IP address or range, NACLs are the answer because they support explicit deny rules.
6. Ephemeral Ports: Questions about web servers not responding often relate to ephemeral ports not being allowed in NACL outbound rules.
7. Troubleshooting Scenarios: If traffic works in one direction but not the other, suspect NACL rules due to their stateless nature.
8. Layer of Operation: NACLs work at Layer 3/4 (Network/Transport) and cannot inspect application-layer content.
Common Exam Scenarios:
• Blocking malicious IP addresses → Use NACL deny rule • Traffic blocked after creating custom NACL → Add allow rules (custom NACLs deny by default) • Responses not reaching clients → Check outbound rules and ephemeral ports • Need to allow specific traffic to entire subnet → Configure NACL rules