Network Access Control Lists

  • A network access control list (ACL) is an optional security layer for your VPC.

  • It acts as a firewall that controls inbound and outbound traffic for one or more subnets.


⚙️ Key Features

  • Subnet-Level Control:

    • Unlike security groups (which apply to ENIs), network ACLs apply to subnets, affecting all traffic entering and leaving the subnet.

  • Stateless:

    • Each request and response are checked separately. If inbound traffic is allowed, the outbound traffic must also be allowed explicitly (and vice versa).

  • Additional Layer of Security:

    • Often used in conjunction with security groups to provide a second layer of traffic filtering and improve network security.


🧠 Quick Summary

Feature
Description

Purpose

Provide an additional firewall at the subnet level

Applied To

Subnets, controlling traffic for all instances within

Stateful/Stateless

Stateless: Inbound and outbound traffic must be managed separately

Default NACL

Custom NACL

  • An optional security layer in your VPC.

  • Acts as a stateless firewall for controlling inbound and outbound traffic at the subnet level.


🧱 How It Works

  • Applies to one or more subnets in a VPC.

  • Controls traffic entering and leaving subnets, based on defined rules.

  • Rules can allow or deny traffic based on:

    • Protocol

    • Port range

    • Source/Destination IP


🔁 Key Characteristics

  • Stateless: Return traffic must be explicitly allowed.

  • Rule order matters: Rules are evaluated in order, starting from the lowest number.

  • Can be used to complement security groups (which are stateful).


🧠 Quick Summary

Feature
Description

Purpose

Firewall at the subnet level

Type

Stateless (both inbound & outbound rules needed)

Rule Evaluation

Evaluated in number order (lowest first)

Use Case

Add an extra layer of security beyond security groups

Allows/Deny Traffic

Yes, both (unlike security groups which only allow)

Last updated