Network ACLs
Network Access Control Lists (ACLs) are a set of rules in AWS that control inbound and outbound traffic to and from subnet resources.
Description
In the context of AWS, Network ACLs (NACLs) are an essential security feature associated with Virtual Private Clouds (VPCs). They act as a virtual firewall for controlling traffic at the subnet level. Each subnet in a VPC can be associated with a single NACL, which contains rules that dictate whether the traffic should be allowed or denied based on IP address, port number, and protocol type. By default, NACLs allow all inbound and outbound traffic, but they can be customized to improve security. Unlike security groups, which are stateful, NACLs are stateless, meaning that rules must be defined for both inbound and outbound traffic separately. This allows for granular control over network traffic. For instance, a company might use NACLs to restrict access from specific IP ranges to enhance security or to regulate traffic flow to specific applications hosted in their AWS environment. AWS provides the flexibility to create rules that allow or deny traffic based on various parameters, enabling administrators to tailor their network security according to their operational requirements.
Examples
- A NACL is configured to allow HTTP traffic (port 80) from anywhere but denies all other inbound traffic to enhance security for a web application.
- An organization sets up a NACL to block all traffic from a known malicious IP address to protect its network resources.
Additional Information
- NACLs are evaluated in order, starting with the lowest numbered rule, until a match is found.
- AWS allows the creation of custom NACLs with up to 20 inbound and 20 outbound rules by default, which can be expanded if needed.