...

/

Understand and Configure NACLs

Understand and Configure NACLs

Learn about Network Access Control Lists (NACLs) in this lesson.

Network Access Control List (NACL) is a stateless firewall that controls what network traffic is allowed or denied to enter and leave a subnet. NACLs work on a subnet level and are only associated with the subnets in a VPC. NACL doesn’t interfere in network communication between resources within the subnet. It sits at the boundary of the subnet and allows or denies the network traffic based on the rules configured. We can create an explicit allow or deny rule within an NACL to let or restrict a particular range of addresses from connecting with the subnet.

It is important to note that a subnet can only have one NACL associated with it. However, an NACL can be associated with many subnets.

Default NACL

When we create an Amazon VPC, it comes with a default NACL that allows any IPv4 traffic from anywhere in both inbound and outbound rules. Inbound means the traffic entering the subnet, and outbound means the traffic leaving the subnet. If a subnet is not explicitly associated with a custom NACL, it is automatically associated with the default NACL.

Default NACL Inbound Rules

Rule number

Type

Protocol

Port range

Source

Allow/Deny

100

All traffic

All

All

0.0.0.0/0

Allow

*

All traffic

All

All

0.0.0.0/0

Deny

The table above shows the inbound rules of a default NACL.

  • Rule number: Each rule in an NACL has a number associated with it that decides the priority of the rule. The lower the rule number, the more prior the rule. If traffic matches the rule, that rule is applied and ...