Ref: https://learn.cantrill.io/courses/1820301/lectures/41301355
VPC NACL - Key Concepts
Diagram: https://github.com/acantril/aws-sa-associate-saac03/blob/main/0800-VIRTUAL_PRIVATE_CLOUD(VPC)/00_LEARNINGAIDS/NACL-1.png
- 🔧 Traditional (stateless) firewall at the subnet level
- Network Access Control List = Network ACL = NACL
- Function: filters traffic crossing the subnet boundary (inbound or outbound)
- ‼️ Traffic inside the subnet is NOT affected by the NACL!
- If connection between two subnets → both subnets will need to have a NACL allowing that connection (otherwise connection is blocked)
- Stateless nature
- Unaware if traffic is request or response = req & res seen as different traffic
- Requires 2 rules per connection (IN and OUT)
- Subnet association: 1-to-many
- Every subnet has one associated NACL (default or custom)
- A single NACL can be associated with many subnets
- NACLs cannot be assigned to other (logical) AWS resources - only VPC subnets
- Common usage together with Security Groups (SGs)
- SGs allow traffic
- NACLs deny traffic (SGs can't explicitly deny traffic)
- 💡 NACLs are great for blocking specific IPs or IP ranges → great for blocking bad actors
VPC NACL Rules
Diagram: https://github.com/acantril/aws-sa-associate-saac03/blob/main/0800-VIRTUAL_PRIVATE_CLOUD(VPC)/00_LEARNINGAIDS/NACL-2.png
- Each NACL contains two sets of rules:
- Inbound: affect data entering the subnet
- Outbound: affect data leaving the subnet
- âť—Â Inbound/outbound do not necessarily match request or response traffic! Think about directionality!
- Traffic matched according to:
- IPs/CIDR (inbound:SRC or outbound:DST)
- Port (inbound:SRC or outbound:DST)
- Protocol
- ‼️ Logical Resources (e.g. IGW, EC2 instances…) can NOT be referenced for matching!
- If traffic matches all 3 above → NACL allows or denies traffic based on that rule
- Rules are processed in order
- âť—Â Lowest rule number goes first
- Once a match occurs, processing stops (so no further rules will apply!)
- Last rule (always present) →
* = implicit DENY → if no rules match, deny traffic
- Rule numbers are unique on inbound and outbound sets
- both inbound and outbound tables can have a rule number 110, for example, but an inbound set cannot have two rules with number 110
- Connection rule-pairs (app port + ephemeral ports) are needed on each NACL for each communication type which occurs…:
- Within a VPC (between subnets)
- To a VPC
- From a VPC
VPC NACL Types
/00_LEARNINGAIDS/NACL-1.png){kind=link}
/00_LEARNINGAIDS/NACL-2.png){kind=link}