Post

AWS - VPC Security - NACL Network Access control list

Posted
By Grace L
2 min read

AWS - NACL Network Access control list

pic

pic

pic

The VPC router hosts the network ACL function.

  • controlling traffic in and out of one or more subnets.

  • might set up NACLs with rules similar to your security groups in order to add an additional layer of security to your VPC.

  • Stateless
    • “Stateless rules” inspect all inbound and outbound traffic,
    • no information about a request is maintained after a request is processed.
    • don’t keep track of connections, sessions,
    • allow traffic based on an incoming rule
      • responses are subject to the rules for the direction of traffic.

    • don’t automatically allow the corresponding outgoing traffic.

    • NACLs only apply to traffic ingress or egress to the subnet
      • not traffic within the subnet.
      • do not filter traffic between instances in the same subnet.
  • provide a firewall/security/optional layer of security for VPC at the subnet level
    • acts as a firewall for controlling traffic in / out of one or more subnets.
    • set up network ACLs with rules that are similar to your security groups.
  • All subnets must be associated with a network ACL.
    • no create NACL for a subnet, a “default NACL” will be assigned.
      • the subnet is automatically associated with the default NACL.
      • recommended evaluate security requirements and define each network ACL accordingly.
    • can associate a network ACL with multiple subnets;
    • but a subnet can be associated with only one network ACL at a time.
      • When you associate a network ACL with a subnet, the previous association is removed.

rule

  • default network ACL: (All allow)
    • allows all inbound and outbound IPv4/IPv6 traffic
      • default all inbound and outbound traffic is automatically blocked.
      • but default NACL have an allow rule must be explicitly created.
      • (pre-created by default VPC) ALLOW ALL inbound/outbound traffic
  • custom NACL: (all deny)
    • denies all traffic both inbound and outbound by default.
    • denies all until you add rules.
  • A network ACL has separate inbound and outbound rules, can either allow or deny traffic.
    • NACLs preferred blocking specific IPs or ranges.
      • Security groups cannot be used to block specific ranges of IPs.
      • NACL is the first line of defence,
      • the security group is the second line.
    • rules defined by source, destination, port, and protocol.
  • A network ACL contains a numbered list of rules in order,
    • starting with the lowest numbered rule.
    • from the lowest number until the explicit deny.
    • The highest number that you can use for a rule is 32,766.
    • Rules are evaluated in numerical order.
      • Recommended to leave spacing between network ACL numbers.
    • associate up to 200 network ACLs in each VPC.

  • Changes to NACLs take effect immediately.

  • Also recommended to have software firewalls installed on your instances.
01AWS, Network
AWS Network NACLs
This post is licensed under CC BY 4.0 by the author.

Comments powered by Disqus.