AWS
- Related Articles
- AWS Amplify : The Ultimate Beginner's Guide
- A Beginner's Guide to AWS S3: What It Is and How to Use It
- A Beginner's Guide to AWS EC2: Elastic Cloud Compute Made Simple
- Set Up an AWS Free Tier Account Safely
- AWS Certification Roadmap : From Beginner to Architect
- Cloud Computing Jobs: Roles, Skills, and Salaries
- AWS Lambda Tutorial for Beginners
- 7 Cloud Deployment Models Explained
- AWS EC2 vs S3: Key Differences Explained
- What is Cloud Computing?
- Amazon EC2 Instance Types
- GCP vs AWS
- How to start or run Docker daemon
- Introduction to AWS Simple Storage Service (AWS S3)
- Laws of Logarithms
- Docker Run Command
- Comparisons between Azure vs AWS
- Is it legal to dumpster dive in Arizona?
- How to fix "Cannot connect to the Docker daemon" error
- Elastic Compute Cloud (EC2)
- Dockerfile
- Must-Do Coding Questions for Companies like Amazon, Microsoft, Adobe
- Removing all containers and images in Docker
- Laws of Exponents
- Docker Copy Instruction
- Docker Image
- How to install Docker on Debian
- Amazon Simple Queue Service (AWS SQS)
- Amazon Machine Image (AMI)
- AWS Glacier Cost
- Deploying Nginx in Kubernetes
- Docker Instruction Commands
- How to install Docker on Windows
- Amazon SDE 2 to SDE 3 Roles, Responsibilities, and Salaries
- Introduction to AWS Lambda
- How to use a .dockerignore file
- Creating subfolders in S3 bucket using AWS CLI
- Network Access Control List (NACL)
- Viewing Docker image contents
- Introduction to Docker
- Mapping Ports in Docker
- Docker Hub
- Introduction to Amazon Route 53
- Introduction to Amazon Web Services
- Docker WORKDIR Instruction
- Features of AWS
- Docker exec /usr/bin/sh: exec format error
- Downloading folder from AWS S3 using CLI and UI
- Export and Import Docker Containers and Images
- Top AWS Services
- AWS DynamoDB insert data using AWS Lambda
Network Access Control List (NACL)
A Network Access Control List (NACL) is a crucial security component in Amazon Web Services (AWS) that controls traffic at the subnet level within a Virtual Private Cloud (VPC). Understanding how NACLs work is essential for building secure, scalable, and well-architected cloud networks.
This guide explains Network ACLs in a clear and structured manner, covering core concepts, real-world use cases, rule examples, comparisons, and best practices.
What is a Network Access Control List (NACL)?
A Network Access Control List (NACL) is a stateless firewall that controls inbound and outbound traffic for one or more subnets in an AWS VPC. It acts as a security layer that evaluates traffic based on defined rules before allowing or denying access.
Key Characteristics of NACL
- Operates at the subnet level
- Is stateless (responses must be explicitly allowed)
- Rules are evaluated in numerical order
- Supports both Allow and Deny rules
- Applies to all resources within a subnet
Why Use Network Access Control Lists?
NACLs provide an additional security boundary beyond Security Groups. They are particularly useful when you want to enforce network-wide rules across multiple resources.
Common Use Cases
- Blocking specific IP addresses or CIDR ranges
- Restricting traffic at the subnet level
- Adding an extra layer of defense for sensitive workloads
- Meeting compliance or regulatory requirements
How Network ACL Works
When traffic enters or leaves a subnet, AWS evaluates the NACL rules in ascending order (starting from the lowest rule number). The first rule that matches the traffic determines whether it is allowed or denied.
Traffic Flow Example
- Request enters the subnet
- NACL inbound rules are evaluated
- If allowed, traffic reaches the resource
- Response traffic must also be explicitly allowed by outbound rules
Inbound and Outbound Rules in NACL
Each NACL contains two sets of rules:
Inbound Rules
Control traffic entering the subnet.
Outbound Rules
Control traffic leaving the subnet.
Network ACL Rule Structure
| Field | Description |
|---|---|
| Rule Number | Determines the order of rule evaluation |
| Protocol | TCP, UDP, ICMP, or ALL |
| Port Range | Allowed or denied ports |
| Source/Destination | CIDR block (IP range) |
| Allow/Deny | Action taken when rule matches |
Sample Network ACL Rules Example
Below is a practical example of inbound and outbound NACL rules:
Inbound Rules: Rule 100: Allow TCP port 80 from 0.0.0.0/0 Rule 110: Allow TCP port 443 from 0.0.0.0/0 Rule 120: Deny all traffic from 203.0.113.0/24 Rule *: Deny all Outbound Rules: Rule 100: Allow all traffic to 0.0.0.0/0
Explanation
- HTTP and HTTPS traffic is allowed from the internet
- A specific IP range is blocked
- All unspecified traffic is denied by default
NACL vs Security Group
| Feature | NACL | Security Group |
|---|---|---|
| Level | Subnet | Instance |
| State | Stateless | Stateful |
| Allow/Deny Rules | Both | Allow only |
| Rule Order | Numerical order | All rules evaluated |
Real-World Example Scenario
Consider an e-commerce application deployed in a public subnet:
- Allow HTTP/HTTPS traffic from the internet
- Block known malicious IP addresses
- Allow outbound access to payment gateways
Using a NACL ensures that malicious traffic never reaches the application layer.
Best Practices for Network ACL
- Use NACLs as an additional security layer, not a replacement for Security Groups
- Keep rule numbers organized with gaps (100, 110, 120)
- Explicitly allow ephemeral ports for return traffic
- Regularly audit and clean unused rules
Common Mistakes to Avoid
- Forgetting to allow outbound response traffic
- Using overly permissive CIDR ranges
- Misordering rules leading to unintended denies
Frequently Asked Questions (FAQs)
1. Is Network ACL stateful or stateless?
NACLs are stateless, meaning return traffic must be explicitly allowed by outbound rules.
2. Can one NACL be associated with multiple subnets?
Yes, a single Network ACL can be associated with multiple subnets within the same VPC.
3. What happens if no rule matches the traffic?
Traffic is denied by default if no rule explicitly allows it.
4. Should I use both NACL and Security Groups?
Yes, using both provides layered security and better protection.
5. Can NACL block specific IP addresses?
Yes, NACLs can explicitly deny traffic from specific IP ranges using CIDR blocks.
Network Access Control Lists (NACLs) play a vital role in securing AWS VPC networks. By controlling traffic at the subnet level, NACLs help protect resources from unauthorized access and malicious activity. When combined with Security Groups, they form a strong, layered security model.
Understanding how to design and manage NACL rules is essential for anyone working with AWS networking.
