NACL (Network Access Control List)
💡 Definition
A Network Access Control List (NACL) is an optional layer of security for your VPC that acts as a stateless firewall to control traffic in and out of one or more subnets.
🔑 Key Concepts
- Subnet Level: Controls traffic for a whole Subnet.
- Stateless: Requires explicit rules for both inbound and outbound traffic. If you allow inbound traffic on port 80, you must also explicitly allow outbound return traffic (e.g., ephemeral ports).
- Allow and Deny Rules: You can specify both allow and deny rules.
- Ordered Rules: Rules are processed in order, from lowest number to highest. The first rule that matches the traffic is applied.
- Default Deny: If no rules match, the default action is to deny traffic.
⚙️ How it Works
You associate a NACL with a Subnet. All instances within that subnet are then subject to the rules defined in the NACL.
🎯 Use Cases
- Blacklisting IPs: Explicitly deny traffic from specific malicious IP addresses.
- Layered Security: Provide an additional layer of defense in depth, complementing Security Groups.
- Controlling Traffic to/from Subnets: Defining broad traffic policies for entire segments of your VPC.
💰 Pricing Model
- Free: NACLs are a feature of AWS networking and incur no additional cost.
📝 Exam Tips (CLF-C02)
- NACLs are stateless.
- Operate at the subnet level.
- Can have ALLOW and DENY rules.
- Rules are processed in order (from lowest number).
- Compared to Security Groups (stateful, instance-level, allow only).
See Also: * VPC * Security Group * Subnet