Code360 powered by Coding Ninjas X Code360 powered by Coding Ninjas X
Table of contents
What is AWS NACL?
When to Use NACLs
Features of AWS NACL
NACLs vs Security Groups
Components of AWS NACL
Types of AWS NACL 
Working of AWS NACL
Creating a NACL
Frequently Asked Questions
How AWS NACL differ from security groups?
How to troubleshoot AWS NACL issues?
AWS NACL can be associated with multiple subnets?
Last Updated: Mar 27, 2024


Author Dhruv Rawat
0 upvote
Master Python: Predicting weather forecasts
Ashwin Goyal
Product Manager @


AWS Network access control list (NACL) is a powerful tool offered by Amazon Web Services(AWS). AWS NACL is a virtual security guard to the AWS Virtual Private Cloud(VPC), filtering the good from the bad, and it helps control the traffic. 


This article will cover the introduction to AWS NACL, its features and components and will see how it works.

What is AWS NACL?

A Network Access Control List (NACL) is an optional layer of security for the Amazon Virtual Private Cloud (VPC). It helps control the flow of inbound and outbound traffic between subnets. 

NACL has a numbered list of rules evaluated in order from low-numbered rule 1 to high-numbered rule 32766. These rules determine whether traffic goes in or out of the subnet associated with the NACL.

It is a stateless firewall, which means that it does not track the state of connections. NACLs are associated with subnets, not VPCs. Each subnet in VPC must be associated with an NACL. The subnet is automatically associated with the default NACL if you don't provide it explicitly. 

Get the tech career you deserve, faster!
Connect with our expert counsellors to understand how to hack your way to success
User rating 4.7/5
1:1 doubt support
95% placement record
Akash Pal
Senior Software Engineer
326% Hike After Job Bootcamp
Himanshu Gusain
Programmer Analyst
32 LPA After Job Bootcamp
After Job

When to Use NACLs

NACLS are commonly used under these conditions:

  • When we need to control the traffic that reaches the EC2 instances
  • In order to segment the network into different subnets, each with its own security policy
  • Providing an additional layer of security over the security provided by security groups, enhancing the security

Now, Let's see some of the features of AWS NACL.

Features of AWS NACL

Lets see some of the important features of AWS NACL:

  • Rule-based Filtering: NACl uses various rules, like IP address, protocol, range etc., to decide which traffic to allow or deny
  • Numbered Rules: Rules in NACLs are given specific numbers to determine the sequence of evaluation
  • Inbound and Outbound Control: NACLs give control over incoming and outgoing traffic in VPC
  • Stateless: Unlike Security Groups, NACLs are stateless, which means they do not track the state of connections. This means that an NACL rule can allow traffic in one direction but deny it in the other direction

NACLs vs Security Groups

Let's see a table comparing NACLs vs Security Groups below:


Network Access Control Lists (NACLs)

Security Groups


Subnet level within a VPC

Instance level

Supported Protocols 


All Protocols

Types of firewall



Default rule

Deny all traffic

Allow all traffic

Support for IPv6



Number of rules 

100 per NACL

500 per security group

Components of AWS NACL

An AWS NACL is composed of two components, i.e. subnets and rules: 


A subnet is a logical division of a Virtual Private Cloud (VPC). Each subnet has its own IP address range and can be associated with one or more NACLs. 


A rule is a set of criteria that is used to determine whether to allow or deny traffic. 

Each rule has the following components: 

  • Action: specify whether to allow or deny the traffic
  • Protocol: specify the IP protocol of the traffic 
  • Source/Destination: specify the source or destination of the traffic
  • Port Range: specify the port range for the traffic

Types of AWS NACL 

There are two types of NACL:

Types of NACL


  • Default NACL: The default NACL is automatically created for each VPC. The default NACL has two rules: one rule allows inbound traffic, and the other allows outbound traffic
  • Custom NACL: It is a user-defined NACL and can be either inbound or outbound. They allow or deny traffic based on various factors such as the IP address, port number, and protocol


 See the below table summarizing the difference between both types:


Custom NACL

Default NACL


Created by User

Created by AWS when the VPC is created

Managed by






Can be modified



Can be deleted






Number of rules




Working of AWS NACL

Network Access Control Lists(NACL) rely on numbered rules to decide whether to allow or deny traffic. Each rule has a number from 1 to 32766. The lower the number, the higher the priority of the rule will be. 

The first rule that matches the traffic will define the action (allow or deny). If no rule matches, then the default rule, which is to deny all inbound and outbound traffic, would take place.


For example, the following AWS NACL rule will allow all inbound TCP traffic from the IP address to port 80:

Action: Allow
Protocol: TCP
Port Range: 80

Creating a NACL

In this section, we will discuss creating NACL: 

1. Log in to the Amazon management console 

2. Click on the section tab from the top left corner, go under the networking and content delivery tab option, and open the VPC option

Section Tab

3. Click on Create a VPC 

create a VPC

4. Fill in the VPC settings according to the requirements

VPC setting

5. Success! VPC is now created 

VPC created

6. On the left side panel under the Security tab, click on Network ACLs and Click on Create Network ACLs tab 

Network ACLs tab

7. Fill in the details and assign it to VPC that we previously created 

Create a Network ACL

8. Success! Network_ACL has been created

NACL created

Frequently Asked Questions

How AWS NACL differ from security groups?

The difference between both is that the NACL operates at the subnet level, allowing border control over traffic, whereas the security groups operate at the instance level.

How to troubleshoot AWS NACL issues?

There are several ways to solve issues, like verifying the subnets associations, examining rule configurations and reviewing the network flow logs to identify any traffic blockages.

AWS NACL can be associated with multiple subnets?

Yes, AWS NACL can be associated with multiple subnets within a Virtual Private Cloud (VPC). It gives a centralized and consistent control mechanism for which the same network rules can be applied to multiple subnets.


Congratulations, you did a fantastic job!!. This article covered the basics of AWS NACL, its features, components, and types and discussed the working. At last, some frequently asked questions have been discussed.

Here are some more related articles:


Check out The Interview Guide for Product Based Companies and some famous Interview Problems from Top Companies, like AmazonAdobeGoogle, etc., on CodeStudio.

Also, check out some of the Guided Paths on topics such as Data Structure and AlgorithmsCompetitive ProgrammingOperating SystemsComputer Networks, DBMSSystem Design, etc., as well as some Contests, Test SeriesInterview Bundles, and some Interview Experiences curated by top Industry Experts only on CodeStudio.

We hope you liked this article.

"Have fun coding!”

Previous article
Amazon Macie
Next article
AWS Artifact
Live masterclass