Network Access Control Lists (NACLs)
- Default NACLs allow all Inbound / Outbound traffic.
- Custom NACLs by default deny all Inbound / Outbound traffic.
- stateless firewall
- creation of an ACL has a default deny inbound and outbound
- Each subnet in a VPC must be associated with a NACL
- Numbered list of rules that are evaluated in order starting at the lowest numbered rule first to determine what traffic is allowed in or out depending on what subnet is associated with the rule
- The highest rule number is 32766
- Start with rules starting at 100 so you can insert rules if needed
- NACL’s have separate inbound and outbound rules, and each rule can either allow or deny traffic
- The Default NACL will allow ALL traffic in and out by default
- Custom NACL’s by default will deny all inbound and outbound traffic until allow rules are added
- You must assign a NACL to each subnet, if a subnet is not associated with a NACL, it will allow no traffic in or out
- NACL rules are stateless, established in does not create outbound rule automatically
- You can only assign a single subnet to a single NACL
- When you associate a NACL with a subnet, any previous associations are removed
- You can associate a single NACL with multiple subnets
- Each subnet in your VPC must be associated with a NACL. If you don’t explicitly associate a subnet with an ACL, the subnet automatically gets associated with the default ACL
- You can block IP addresses using NACLs not Security Groups
- One NACL can be associated with multiple subnets
- But one subnet can only be associated with a single NACL
- NACLs contain numbered rules evaluated in the order staring from the lowest one.
- NACLs are stateless. Response to allow inbound traffic is subject to outbound rules.
- Ideally, only ephemeral ports should be allowed in outbound traffic
- Block IP addresses using NACLs & Not security groups.
Are you an AWS SysOps Administrator Associate?Take a Quiz