AWS Certified Solutions Architect - Professional
  • AWS Certified Solutions Architect - Professional
  • Analytics
    • Amazon Athena
    • AWS Data Exchange
    • Amazon Data Firehose
    • Amazon EMR
    • AWS Glue
    • Amazon Kinesis Data Streams
    • AWS Lake Formation
    • Amazon Managed Service for Apache Flink
    • Amazon Managed Streaming for Apache Kafka (Amazon MSK)
    • Amazon OpenSearch Service
    • Amazon QuickSight
  • Application Integration
    • Amazon AppFlow
  • AWS AppSync
  • Amazon EventBridge
  • Amazon MQ
  • Amazon Simple Notification Service
  • Amazon Simple Queue Service
  • AWS Step Functions
  • Blockchain
    • Amazon Managed Blockchain
  • Business Applications
    • Amazon Simple Email Service
  • Cloud Financial Management
    • AWS Budgets
    • AWS Cost and Usage Report
  • AWS Cost Explorer
  • Savings Plans
  • COMPUTE
    • AWS App Runner
  • AWS Auto Scaling
  • AWS Batch
  • AWS Elastic Beanstalk
  • Amazon Elastic Compute Cloud
  • Amazon EC2 Auto Scaling
  • AWS Fargate
  • AWS Lambda
  • Amazon Lightsail
  • AWS Outposts
  • AWS Wavelength
  • CONTAINERS
    • Amazon Elastic Container Registry
    • Amazon Elastic Container Service
    • Amazon ECS Anywhere
    • Amazon Elastic Kubernetes Service
    • Amazon EKS Anywhere
    • Amazon EKS Distro
  • DATABASES
    • Amazon Aurora
  • Amazon Aurora Serverless
  • Amazon DocumentDB
  • Amazon DynamoDB
  • Amazon ElastiCache
  • Amazon Keyspaces
  • Amazon Neptune
  • Amazon Relational Database Service
  • Amazon Redshift
  • Amazon Timestream
  • Developer Tools
    • AWS CodeArtifact
    • AWS CodeBuild
    • AWS CodeDeploy
    • Amazon CodeGuru
    • AWS CodePipeline
    • AWS X-Ray
  • End User Computing
    • Amazon AppStream 2.0
  • Amazon Workspaces
  • Frontend Web and Mobile
    • AWS Amplify
    • Amazon API Gateway
    • AWS Device Farm
    • Amazon Pinpoint
  • Internet of Things
    • AWS IoT Core
    • AWS IoT Device Defender
    • AWS IoT Device Management
    • AWS IoT Events
    • AWS IoT Greengrass
    • AWS IoT SiteWise
    • AWS IoT Things Graph
  • AWS IoT 1-Click
  • Machine Learning
    • Amazon Comprehend
    • Amazon Fraud Detector
    • Amazon Kendra
    • Amazon Lex
    • Amazon Personalize
    • Amazon Polly
    • Amazon Rekognition
  • Amazon SageMaker AI
  • Amazon Textract
  • Amazon Transcribe
  • Amazon Translate
  • Management and Governance
    • AWS CloudFormation
    • AWS CloudTrail
    • Amazon CloudWatch
    • Amazon CloudWatch Logs
    • AWS Command Line Interface
    • AWS Compute Optimizer
    • AWS Config
    • AWS Control Tower
    • AWS Health Dashboard
    • AWS License Manager
    • Amazon Managed Grafana
    • Amazon Managed Service for Prometheus
    • AWS Management Console
    • AWS Organizations
    • AWS Proton
    • AWS Service Catalog
    • Service Quotas
    • AWS Systems Manager
    • AWS Trusted Advisor
    • AWS Well-Architected Tool
    • SAML2.0 Identity Federation
    • IAM Identity Center
    • Directory Service
  • Service Control Policies
  • Permissions Boundaries
  • Permissions Evaluation
  • Media Services
    • Amazon Elastic Transcoder
    • Amazon Kinesis Video Streams
  • Migration and Transfer
    • AWS Application Discovery Service
    • AWS Application Migration Service
    • AWS Database Migration Service
    • AWS DataSync
    • AWS Migration Hub
    • AWS Schema Conversion Tool
    • AWS Snow Family
    • AWS Transfer Family
  • Networking and Content Delivery
    • Private and Public AWS Services
    • DHCP In a VPC
    • VPC Router
    • Stateful vs Stateless Firewalls
    • Network Access Control Lists
    • Security Groups
    • AWS Local Zones
    • Border Gateway Protocol
    • AWS Global Accelerator
    • IPSec VPN
    • Site2Site VPN
    • Transit Gateway
    • VPC Routing
    • Accelerated Site-to-Site VPN
    • AWS Client VPN
    • AWS Direct Connect (DX)
    • Route53
    • AWS Private Link
    • VPC
    • Amazon CloudFront
    • Elastic Load Balancing
    • AWS PrivateLink
  • Security, Identity, and Compliance
    • AWS Artifact
    • AWS Audit Manager
    • AWS Certificate Manager
    • AWS CloudHSM
    • Amazon Cognito
    • Amazon Detective
    • AWS Directory Service
    • AWS Firewall Manager
    • Amazon GuardDuty
    • AWS IAM Identity Center
    • AWS Identity and Access Management
    • Amazon Inspector
    • AWS Key Management Service
    • Amazon Macie
    • AWS Network Firewall
    • AWS Resource Access Manager
    • AWS Secrets Manager
    • AWS Security Hub
    • Security Token Service
    • AWS Shield
    • AWS WAF
  • Storage
    • AWS Backup
    • Amazon Elastic Block Store
    • AWS Elastic Disaster Recovery
    • Amazon Elastic File System
    • Amazon FSx
    • Amazon Simple Storage Service
    • Amazon S3 Glacier
    • AWS Storage Gateway
Powered by GitBook
On this page
  • Default NACL
  • Custom NACL
  1. Networking and Content Delivery

Network Access Control Lists

Last updated 7 days ago

  • A network access control list (ACL) is an optional security layer for your VPC.

  • It acts as a firewall that controls inbound and outbound traffic for one or more subnets.

⚙️ Key Features

  • Subnet-Level Control:

    • Unlike security groups (which apply to ENIs), network ACLs apply to subnets, affecting all traffic entering and leaving the subnet.

  • Stateless:

    • Each request and response are checked separately. If inbound traffic is allowed, the outbound traffic must also be allowed explicitly (and vice versa).

  • Additional Layer of Security:

    • Often used in conjunction with security groups to provide a second layer of traffic filtering and improve network security.

🧠 Quick Summary

Feature
Description

Purpose

Provide an additional firewall at the subnet level

Applied To

Subnets, controlling traffic for all instances within

Stateful/Stateless

Stateless: Inbound and outbound traffic must be managed separately

Default NACL

Custom NACL

  • An optional security layer in your VPC.

  • Acts as a stateless firewall for controlling inbound and outbound traffic at the subnet level.

🧱 How It Works

  • Applies to one or more subnets in a VPC.

  • Controls traffic entering and leaving subnets, based on defined rules.

  • Rules can allow or deny traffic based on:

    • Protocol

    • Port range

    • Source/Destination IP

🔁 Key Characteristics

  • Stateless: Return traffic must be explicitly allowed.

  • Rule order matters: Rules are evaluated in order, starting from the lowest number.

  • Can be used to complement security groups (which are stateful).

🧠 Quick Summary

Feature
Description

Purpose

Firewall at the subnet level

Type

Stateless (both inbound & outbound rules needed)

Rule Evaluation

Evaluated in number order (lowest first)

Use Case

Add an extra layer of security beyond security groups

Allows/Deny Traffic

Yes, both (unlike security groups which only allow)