Code360 powered by Coding Ninjas X Naukri.com. Code360 powered by Coding Ninjas X Naukri.com
Table of contents
1.
Introduction
2.
What is AWS NACL?
3.
When to Use NACLs
4.
Features of AWS NACL
5.
NACLs vs Security Groups
6.
Components of AWS NACL
6.1.
Subnets
6.2.
Rules 
7.
Types of AWS NACL 
8.
Working of AWS NACL
8.1.
Example
9.
Creating a NACL
10.
Frequently Asked Questions
10.1.
How AWS NACL differ from security groups?
10.2.
How to troubleshoot AWS NACL issues?
10.3.
AWS NACL can be associated with multiple subnets?
11.
Conclusion
Last Updated: Mar 27, 2024
Medium

AWS NACL

Author Dhruv Rawat
0 upvote
Master Python: Predicting weather forecasts
Speaker
Ashwin Goyal
Product Manager @

Introduction

AWS Network access control list (NACL) is a powerful tool offered by Amazon Web Services(AWS). AWS NACL is a virtual security guard to the AWS Virtual Private Cloud(VPC), filtering the good from the bad, and it helps control the traffic. 

AWS NACL

This article will cover the introduction to AWS NACL, its features and components and will see how it works.

What is AWS NACL?

A Network Access Control List (NACL) is an optional layer of security for the Amazon Virtual Private Cloud (VPC). It helps control the flow of inbound and outbound traffic between subnets. 

NACL has a numbered list of rules evaluated in order from low-numbered rule 1 to high-numbered rule 32766. These rules determine whether traffic goes in or out of the subnet associated with the NACL.

It is a stateless firewall, which means that it does not track the state of connections. NACLs are associated with subnets, not VPCs. Each subnet in VPC must be associated with an NACL. The subnet is automatically associated with the default NACL if you don't provide it explicitly. 

Get the tech career you deserve, faster!
Connect with our expert counsellors to understand how to hack your way to success
User rating 4.7/5
1:1 doubt support
95% placement record
Akash Pal
Senior Software Engineer
326% Hike After Job Bootcamp
Himanshu Gusain
Programmer Analyst
32 LPA After Job Bootcamp
After Job
Bootcamp

When to Use NACLs

NACLS are commonly used under these conditions:

  • When we need to control the traffic that reaches the EC2 instances
     
  • In order to segment the network into different subnets, each with its own security policy
     
  • Providing an additional layer of security over the security provided by security groups, enhancing the security
     

Now, Let's see some of the features of AWS NACL.

Features of AWS NACL

Lets see some of the important features of AWS NACL:

  • Rule-based Filtering: NACl uses various rules, like IP address, protocol, range etc., to decide which traffic to allow or deny
     
  • Numbered Rules: Rules in NACLs are given specific numbers to determine the sequence of evaluation
     
  • Inbound and Outbound Control: NACLs give control over incoming and outgoing traffic in VPC
     
  • Stateless: Unlike Security Groups, NACLs are stateless, which means they do not track the state of connections. This means that an NACL rule can allow traffic in one direction but deny it in the other direction

NACLs vs Security Groups

Let's see a table comparing NACLs vs Security Groups below:

Aspect

Network Access Control Lists (NACLs)

Security Groups

Scope

Subnet level within a VPC

Instance level

Supported Protocols 

TCP, UDP, ICMP

All Protocols

Types of firewall

Stateless 

Stateful 

Default rule

Deny all traffic

Allow all traffic

Support for IPv6

No

Yes

Number of rules 

100 per NACL

500 per security group

Components of AWS NACL

An AWS NACL is composed of two components, i.e. subnets and rules: 

Subnets

A subnet is a logical division of a Virtual Private Cloud (VPC). Each subnet has its own IP address range and can be associated with one or more NACLs. 

Rules 

A rule is a set of criteria that is used to determine whether to allow or deny traffic. 

Each rule has the following components: 

  • Action: specify whether to allow or deny the traffic
     
  • Protocol: specify the IP protocol of the traffic 
     
  • Source/Destination: specify the source or destination of the traffic
     
  • Port Range: specify the port range for the traffic

Types of AWS NACL 

There are two types of NACL:

Types of NACL

 

  • Default NACL: The default NACL is automatically created for each VPC. The default NACL has two rules: one rule allows inbound traffic, and the other allows outbound traffic
     
  • Custom NACL: It is a user-defined NACL and can be either inbound or outbound. They allow or deny traffic based on various factors such as the IP address, port number, and protocol

 

 See the below table summarizing the difference between both types:

Feature

Custom NACL

Default NACL

Creation

Created by User

Created by AWS when the VPC is created

Managed by

User

AWS

Deny-by-default

Yes

No

Can be modified

Yes

Yes

Can be deleted

Yes

No

Statefulness

Stateless

Stateful

Number of rules

Unlimited

2

 

Working of AWS NACL

Network Access Control Lists(NACL) rely on numbered rules to decide whether to allow or deny traffic. Each rule has a number from 1 to 32766. The lower the number, the higher the priority of the rule will be. 

The first rule that matches the traffic will define the action (allow or deny). If no rule matches, then the default rule, which is to deny all inbound and outbound traffic, would take place.

Example

For example, the following AWS NACL rule will allow all inbound TCP traffic from the IP address 12.3.0.1 to port 80:

Action: Allow
Protocol: TCP
Source: 12.3.0.1
Port Range: 80

Creating a NACL

In this section, we will discuss creating NACL: 

1. Log in to the Amazon management console 

2. Click on the section tab from the top left corner, go under the networking and content delivery tab option, and open the VPC option

Section Tab


3. Click on Create a VPC 

create a VPC


4. Fill in the VPC settings according to the requirements

VPC setting


5. Success! VPC is now created 

VPC created

6. On the left side panel under the Security tab, click on Network ACLs and Click on Create Network ACLs tab 

Network ACLs tab

7. Fill in the details and assign it to VPC that we previously created 

Create a Network ACL

8. Success! Network_ACL has been created

NACL created

Frequently Asked Questions

How AWS NACL differ from security groups?

The difference between both is that the NACL operates at the subnet level, allowing border control over traffic, whereas the security groups operate at the instance level.

How to troubleshoot AWS NACL issues?

There are several ways to solve issues, like verifying the subnets associations, examining rule configurations and reviewing the network flow logs to identify any traffic blockages.

AWS NACL can be associated with multiple subnets?

Yes, AWS NACL can be associated with multiple subnets within a Virtual Private Cloud (VPC). It gives a centralized and consistent control mechanism for which the same network rules can be applied to multiple subnets.

Conclusion

Congratulations, you did a fantastic job!!. This article covered the basics of AWS NACL, its features, components, and types and discussed the working. At last, some frequently asked questions have been discussed.

Here are some more related articles:

 

Check out The Interview Guide for Product Based Companies and some famous Interview Problems from Top Companies, like AmazonAdobeGoogle, etc., on CodeStudio.
 

Also, check out some of the Guided Paths on topics such as Data Structure and AlgorithmsCompetitive ProgrammingOperating SystemsComputer Networks, DBMSSystem Design, etc., as well as some Contests, Test SeriesInterview Bundles, and some Interview Experiences curated by top Industry Experts only on CodeStudio.

We hope you liked this article.

"Have fun coding!”

Previous article
Amazon Macie
Next article
AWS Artifact
Live masterclass