AWS Networking: Network Access Control Lists (NACLs)
In the AWS ecosystem, security is applied in layers. While Security Groups act as a firewall for your instances, Network ACLs (NACLs) act as a firewall for your entire subnet. Understanding the nuances of NACLs is critical for passing the SAA-C03 exam, particularly regarding their stateless nature and rule evaluation.
The “Airport Security” Analogy
Imagine a private airport (Your VPC).
- The NACL is the security checkpoint at the terminal entrance. They check everyone coming in and out against a list. If you aren’t on the list to enter, you’re blocked. If you’re leaving, they check the list again. They don’t remember you from 5 minutes ago (Stateless).
- The Security Group is the bodyguard standing right next to the VIP (EC2 Instance). Once the bodyguard lets you in, they know you’re supposed to be there and will let you leave without checking the list again (Stateful).
Core Concepts & Configuration
A Network ACL is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets.
- Subnet Association: Each subnet in your VPC must be associated with a NACL. If you don’t explicitly associate a subnet with a custom NACL, it is automatically associated with the Default NACL.
- Rule Evaluation: Rules are processed in order, starting with the lowest numbered rule. As soon as a rule matches the traffic, it is applied, and no further rules are checked.
- Statelessness: This is the most important concept. NACLs do not track the state of a connection. If you allow inbound traffic on port 80, you must also explicitly create an outbound rule to allow the response traffic (usually to ephemeral ports).
NACL vs. Security Groups
| Feature | Security Group | Network ACL |
|---|---|---|
| Level | Instance / ENI Level | Subnet Level |
| State | Stateful (Return traffic allowed) | Stateless (Return traffic must be allowed) |
| Rules | Allow rules only | Allow and Deny rules |
| Evaluation | All rules evaluated before decision | Processed in number order (lowest first) |
| Association | Applied to instances | Applied to subnets |
Decision Matrix: If–Then Guide
- If you need to block a specific malicious IP address… Then use a Network ACL (Security Groups cannot DENY).
- If you want traffic to be automatically allowed back out… Then rely on Security Groups (Stateful).
- If you have reached the limit of rules per Security Group… Then consider offloading broad subnet-level blocks to a NACL.
- If you are troubleshooting “Connection Timeout” but SG is correct… Then check if the NACL is blocking ephemeral ports.
Exam Tips and Gotchas
- Rule #* (Asterisk): Every NACL contains a final rule with an asterisk. This is a “Catch-all Deny.” You cannot modify or delete this rule.
- Ephemeral Ports: For a web server (Port 80) to work with a NACL, you must allow Inbound 80 AND Outbound to ports 1024-65535.
- Default NACL: The default NACL allows ALL inbound and ALL outbound traffic by default.
- Custom NACL: A newly created custom NACL DENIES all inbound and outbound traffic until you add rules.
- One-to-Many: A subnet can only be associated with ONE NACL at a time, but a single NACL can be associated with multiple subnets.
Topics covered :
Summary of key subtopics covered in this guide:
- Stateless vs. Stateful architecture
- Rule numbering and evaluation order
- Ephemeral port requirements
- Default vs. Custom NACL behaviors
- Subnet-level security enforcement
- Deny-list implementation
NACL Architecture Visualized
Service Ecosystem
VPC Flow LogsUse VPC Flow Logs to monitor NACL rejects. If a packet is rejected by a NACL, it won’t even reach the Security Group.
AWS WAFCombine NACLs (Layer 4) with AWS WAF (Layer 7) for a robust defense-in-depth strategy.
Performance & Scaling
NACLs have no impact on network latency. However, there is a limit of 20 rules per NACL (can be increased up to 40). Large numbers of rules can become complex to manage.
Pro-Tip: Use increments of 10 for rule numbers (100, 110, 120) to leave room for future rules.
Cost Optimization
Network ACLs are a free feature of Amazon VPC. There are no additional charges for creating NACLs or processing rules, making them a cost-effective way to implement broad security boundaries.
Production Use Case
The “Blackhole” Strategy: When a specific IP is launching a Brute Force attack, add an Inbound Rule #1 “DENY” for that IP. This stops the traffic at the subnet boundary before it hits your instances.