Network Access Control Lists (NACL)

  1. When you create a VPC a default NACL is created
    1. Default NACL allows all inbound and outbound traffic.
    2. All subnets created are assigned this default NACL.
  2. We can create new custom NACLs and change the association from default to custom NACL at subnet level.
    1. By default a custom NACL DENYs all inbound and outbound traffic.
  3. A subnet can have only one NACL associated at any given time unlike Security Groups, where multiple SGs can be assigned to an EC2 instance
  4. One NACL can be associated with multiple subnets.
    1. Example: The default NACL is assigned whenever a new subnet is created
  5. Rules are evaluated starting with the lowest numbered rule. As soon as a rule matches traffic, it’s applied regardless of any higher-numbered rule that may contradict it.
  6. NACLs rules are applied first before applying security group rules
  7. NACLs are stateless
    1. Example: If you allow HTTP inbound in a NACL, this does not automatically ALLOW HTTP outbound. You need to explicitly ALLOW HTTP outbound as well.
    2. This is different from the security groups, which are stateful. In a SG, Once you allow HTTP inbound (request), the corresponding outbound HTTP (response) is automatically allowed even if there is no such rule created.
  8. Use ephemeral (temporary) ports on outbound rules only
  9. You can DENY (block) ip addresses using NACLs. This is not possible thru SGs. SGs only ALLOW.
<<< Virtual Private Clouds (VPC)Network Address Translation (NAT) Instances, NAT Gateways, Egress only Internet Gateways and Bastion Hosts >>>
Copyright 2005-2016 KnowledgeHills. Privacy Policy. Contact .