Network Access Control Lists
Last updated
Last updated
A network access control list (ACL) is an optional security layer for your VPC.
It acts as a firewall that controls inbound and outbound traffic for one or more subnets.
Subnet-Level Control:
Unlike security groups (which apply to ENIs), network ACLs apply to subnets, affecting all traffic entering and leaving the subnet.
Stateless:
Each request and response are checked separately. If inbound traffic is allowed, the outbound traffic must also be allowed explicitly (and vice versa).
Additional Layer of Security:
Often used in conjunction with security groups to provide a second layer of traffic filtering and improve network security.
Purpose
Provide an additional firewall at the subnet level
Applied To
Subnets, controlling traffic for all instances within
Stateful/Stateless
Stateless: Inbound and outbound traffic must be managed separately
An optional security layer in your VPC.
Acts as a stateless firewall for controlling inbound and outbound traffic at the subnet level.
Applies to one or more subnets in a VPC.
Controls traffic entering and leaving subnets, based on defined rules.
Rules can allow or deny traffic based on:
Protocol
Port range
Source/Destination IP
Stateless: Return traffic must be explicitly allowed.
Rule order matters: Rules are evaluated in order, starting from the lowest number.
Can be used to complement security groups (which are stateful).
Purpose
Firewall at the subnet level
Type
Stateless (both inbound & outbound rules needed)
Rule Evaluation
Evaluated in number order (lowest first)
Use Case
Add an extra layer of security beyond security groups
Allows/Deny Traffic
Yes, both (unlike security groups which only allow)