πŸ˜Άβ€πŸŒ«οΈ
AWS Certified Solutions Architect - Professional
  • AWS Certified Solutions Architect - Professional
  • Accounts & Permissions
    • AWS Organizations
    • Service Control Policies
    • Security Token Service
    • Permissions Boundaries
    • Permissions Evaluation
    • AWS Resource Access Manager
    • Service Quotas
  • ADVANCED IDENTITIES & FEDERATION
    • SAML2.0 Identity Federation
    • IAM Identity Center
    • Amazon Cognito
    • Amazon Workspaces
    • Directory Service
    • AWS Control Tower
  • NETWORKING & HYBRID
    • Private and Public AWS Services
    • DHCP In a VPC
    • VPC Router
    • Stateful vs Stateless Firewalls
    • Network Access Control Lists
Powered by GitBook
On this page
  • Default NACL
  • Custom NACL
  1. NETWORKING & HYBRID

Network Access Control Lists

Last updated 10 hours ago

Default NACL

Custom NACL

  • An optional security layer in your VPC.

  • Acts as a stateless firewall for controlling inbound and outbound traffic at the subnet level.

🧱 How It Works

  • Applies to one or more subnets in a VPC.

  • Controls traffic entering and leaving subnets, based on defined rules.

  • Rules can allow or deny traffic based on:

    • Protocol

    • Port range

    • Source/Destination IP

πŸ” Key Characteristics

  • Stateless: Return traffic must be explicitly allowed.

  • Rule order matters: Rules are evaluated in order, starting from the lowest number.

  • Can be used to complement security groups (which are stateful).

🧠 Quick Summary

Feature
Description

Purpose

Firewall at the subnet level

Type

Stateless (both inbound & outbound rules needed)

Rule Evaluation

Evaluated in number order (lowest first)

Use Case

Add an extra layer of security beyond security groups

Allows/Deny Traffic

Yes, both (unlike security groups which only allow)