DEV Community

Sunbeom Kweon (Ben)
Sunbeom Kweon (Ben)

Posted on • Edited on

[AWS Quick Post] 1 - NACL

This AWS Quick Post series deals with simple but useful topics about AWS services. The series contains three parts:

  1. What is ... => Talk about the definitions
  2. Did you know ... => Talk about interesting features, properties, etc.
  3. Conclusion => Conclude the post

1. What is ...

NACL?

"A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets." (Amazon Web Services)

So, it is optional. If you don't feel like it, don't need to set it up.

Also, NACL is stateless, which makes it very different from Security Group.

Stateful? Stateless?

But what does it mean by being stateful or stateless? By AWS official documentation,

"These(NACLs) are stateless, meaning any change applied to an incoming rule isn’t automatically applied to an outgoing rule."(Amazon Web Services)

To simplify it, Security Group and NACL both have inbound rule and outbound rule. But the difference is that Security Group's inbound rules must be same as its outbound rules (and actually impossible to set those up differently). On the other hand, NACL's inbound rules and outbound rules are separate, they can be the same, they can be different.

The traffic flows as:

NACL Inbound rules => Security Group rules => NACL Outbound rules.

NACL Number Rule?

Each inbound/outbound rules has a number (1 - 32766). The the lower number will get the higher precedence.

2. Did you know ...

Asterisk Number Rule?

Image description

According to the official doc,

"Each network ACL also includes a rule whose rule number is an asterisk. This rule ensures that if a packet doesn't match any of the other numbered rules, it's denied. You can't modify or remove this rule." (Amazon Web Services)

Default NACL?

Default NACL is attached with the default VPC. It accepts everything inbound/outbound with the subnets it’s associated with.

On the other hand, newly created NACLs will deny everything by default.

One NACL per subnet, new subnets are assigned the Default NACL

3. Conclusion

  • There is always an default NACL attached to the default subnet.
  • NACLs can be useful when you want to set up inbound rules and outbound rules differently.
  • One NACL per subnet.

Top comments (0)