Do you think IIT Guwahati certified course can help you in your career?
Introduction
AWS Network access control list (NACL) is a powerful tool offered by Amazon Web Services(AWS). AWS NACL is a virtual security guard to the AWS Virtual Private Cloud(VPC), filtering the good from the bad, and it helps control the traffic.
This article will cover the introduction to AWS NACL, its features and components and will see how it works.
What is AWS NACL?
A Network Access Control List (NACL) is an optional layer of security for the Amazon Virtual Private Cloud (VPC). It helps control the flow of inbound and outbound traffic between subnets.
NACL has a numbered list of rules evaluated in order from low-numbered rule 1 to high-numbered rule 32766. These rules determine whether traffic goes in or out of the subnet associated with the NACL.
It is a stateless firewall, which means that it does not track the state of connections. NACLs are associated with subnets, not VPCs. Each subnet in VPC must be associated with an NACL. The subnet is automatically associated with the default NACL if you don't provide it explicitly.
When to Use NACLs
NACLS are commonly used under these conditions:
When we need to control the traffic that reaches the EC2 instances
In order to segment the network into different subnets, each with its own security policy
Providing an additional layer of security over the security provided by security groups, enhancing the security
Now, Let's see some of the features of AWS NACL.
Features of AWS NACL
Lets see some of the important features of AWS NACL:
Rule-based Filtering: NACl uses various rules, like IP address, protocol, range etc., to decide which traffic to allow or deny
Numbered Rules: Rules in NACLs are given specific numbers to determine the sequence of evaluation
Inbound and Outbound Control: NACLs give control over incoming and outgoing traffic in VPC
Stateless: Unlike Security Groups, NACLs are stateless, which means they do not track the state of connections. This means that an NACL rule can allow traffic in one direction but deny it in the other direction
NACLs vs Security Groups
Let's see a table comparing NACLs vs Security Groups below:
Aspect
Network Access Control Lists (NACLs)
Security Groups
Scope
Subnet level within a VPC
Instance level
Supported Protocols
TCP, UDP, ICMP
All Protocols
Types of firewall
Stateless
Stateful
Default rule
Deny all traffic
Allow all traffic
Support for IPv6
No
Yes
Number of rules
100 per NACL
500 per security group
Components of AWS NACL
An AWS NACL is composed of two components, i.e. subnets and rules:
Subnets
A subnet is a logical division of a Virtual Private Cloud (VPC). Each subnet has its own IP address range and can be associated with one or more NACLs.
Rules
A rule is a set of criteria that is used to determine whether to allow or deny traffic.
Each rule has the following components:
Action: specify whether to allow or deny the traffic
Protocol: specify the IP protocol of the traffic
Source/Destination: specify the source or destination of the traffic
Port Range: specify the port range for the traffic
Types of AWS NACL
There are two types of NACL:
Default NACL: The default NACL is automatically created for each VPC. The default NACL has two rules: one rule allows inbound traffic, and the other allows outbound traffic
Custom NACL: It is a user-defined NACL and can be either inbound or outbound. They allow or deny traffic based on various factors such as the IP address, port number, and protocol
See the below table summarizing the difference between both types:
Feature
Custom NACL
Default NACL
Creation
Created by User
Created by AWS when the VPC is created
Managed by
User
AWS
Deny-by-default
Yes
No
Can be modified
Yes
Yes
Can be deleted
Yes
No
Statefulness
Stateless
Stateful
Number of rules
Unlimited
2
Working of AWS NACL
Network Access Control Lists(NACL) rely on numbered rules to decide whether to allow or deny traffic. Each rule has a number from 1 to 32766. The lower the number, the higher the priority of the rule will be.
The first rule that matches the traffic will define the action (allow or deny). If no rule matches, then the default rule, which is to deny all inbound and outbound traffic, would take place.
Example
For example, the following AWS NACL rule will allow all inbound TCP traffic from the IP address 12.3.0.1 to port 80:
Action: Allow
Protocol: TCP
Source: 12.3.0.1
Port Range: 80
Creating a NACL
In this section, we will discuss creating NACL:
1. Log in to the Amazon management console
2. Click on the section tab from the top left corner, go under the networking and content delivery tab option, and open the VPC option
3. Click on Create a VPC
4. Fill in the VPC settings according to the requirements
5. Success! VPC is now created
6. On the left side panel under the Security tab, click on Network ACLs and Click on Create Network ACLs tab
7. Fill in the details and assign it to VPC that we previously created
8. Success! Network_ACL has been created
Frequently Asked Questions
How AWS NACL differ from security groups?
The difference between both is that the NACL operates at the subnet level, allowing border control over traffic, whereas the security groups operate at the instance level.
How to troubleshoot AWS NACL issues?
There are several ways to solve issues, like verifying the subnets associations, examining rule configurations and reviewing the network flow logs to identify any traffic blockages.
AWS NACL can be associated with multiple subnets?
Yes, AWS NACL can be associated with multiple subnets within a Virtual Private Cloud (VPC). It gives a centralized and consistent control mechanism for which the same network rules can be applied to multiple subnets.
Conclusion
Congratulations, you did a fantastic job!!. This article covered the basics of AWS NACL, its features, components, and types and discussed the working. At last, some frequently asked questions have been discussed.
569+ registered 
