• Articles
  • Tutorials
  • Interview Questions

Network ACLs (NACL) - Control Traffic to Subnets

Network ACLs (NACL) - Control Traffic to Subnets

Now that you know what NACL is, you might be curious about how it actually works and why it’s crucial in AWS architecture. Join us in this blog as we discuss deeper into NACL’s functions and discover its vital role in securing your AWS environment. 

Table of Contents

Unlock the power of AWS VPC with our step-by-step tutorial – Watch now!

Video Thumbnail

Understanding Network Access Control List (NACL) in AWS?

A Network Access Control List (NACL) acts like a virtual firewall for subnets, regulating both incoming and outgoing traffic within them. When you create a Virtual Private Cloud (VPC), it automatically associates a default NACL that permits all inbound and outbound traffic.

NACLs are a powerful tool that can be used to improve the security of your AWS VPC. However, it is important to note that NACLs are just one component of a comprehensive security strategy. To protect your AWS resources, you should also use other security features, such as security groups, IAM roles, and WAF rules.

Components of Network Access Control List (NACL)

Components of NACL

Now that we understand the basics, let’s explore the key components that make up Network Access Control Lists (NACLs) in AWS.

  1. Rule Number: Each rule is assigned a unique number, and they are evaluated in ascending order. Once a rule matches incoming or outgoing traffic, it is immediately applied, even if higher-numbered rules contradict it.
  2. Protocol: You have the flexibility to define any standard protocol, such as HTTP, HTTPS, ICMP, SSH, etc., when configuring rules for the ACL.
  3. Inbound Rules: Inbound rules determine the source of incoming traffic and the destination port it is allowed to reach.
  4. Outbound Rules: Outbound rules specify the destination for outgoing traffic and the destination port it can access.

Types of Network ACL

Types of Network ACL

With a clear understanding of NACL components, let’s now explore the various types of Network Access Control Lists (NACLs) available in AWS.

  • Default Network ACL
  • Custom Network ACL

EPGC in Cyber Security and Ethical Hacking

Default Network ACL

The default network ACL permits unrestricted traffic to enter or exit the associated subnet. Additionally, every network ACL includes a rule marked with an asterisk rule number, responsible for denying traffic that doesn’t match any numbered rules. This particular rule is immutable and cannot be altered or deleted.

Rule # Type Protocol Port Range Source Allow/Deny
200 HTTP Inbound TCP 80 10.0.0.0/24 Allow
201 HTTPS Inbound TCP 443 10.0.0.0/24 Allow
202 SSH Inbound TCP 22 192.168.1.0/24 Allow
203 RDP Inbound TCP 3389 192.168.1.0/24 Allow
* All Traffic ALL ALL 0.0.0.0/0 Deny

In this example, the above table is a default Network ACL table, which is associated with a subnet.

  • Rule 200 allows incoming HTTP traffic (port 80) from the source IP range 10.0.0.0/24.
  • Rule 201 allows incoming HTTPS traffic (port 443) from the same source IP range 10.0.0.0/24.
  • Rule 202 permits SSH traffic (port 22) from the source IP range 192.168.1.0/24.
  • Rule 203 allows RDP traffic (port 3389) from the same source IP range 192.168.1.0/24.
  • The wildcard rule (*) at the bottom denies all other incoming and outgoing traffic, providing a default security posture that allows only specific types of traffic from specified source IP ranges while denying all other traffic.

Custom Network ACL

A Custom Network ACL is a user-defined access control list that lets you customize your network security policies. It’s sometimes called a Security Group in certain cloud environments.

Rule # Type Protocol Port Range Source Allow/Deny
100 HTTP Inbound TCP 80 10.0.0.0/24 Allow
101 HTTPS Inbound TCP 443 10.0.0.0/24 Allow
102 SSH Inbound TCP 22 192.168.1.0/24 Allow
103 RDP Inbound TCP 3389 192.168.1.0/24 Allow
* All Traffic ALL ALL 0.0.0.0/0 Deny

In this example:

  • Rule 100 allows incoming HTTP traffic (port 80) from the source IP range 10.0.0.0/24.
  • Rule 101 permits incoming HTTPS traffic (port 443) from the same source IP range 10.0.0.0/24.
  • Rule 102 allows SSH traffic (port 22) from the source IP range 192.168.1.0/24.
  • Rule 103 permits RDP traffic (port 3389) from the same source IP range 192.168.1.0/24.
  • The wildcard rule (*) at the end serves as a catch-all, denying all incoming and outgoing traffic, providing a default security posture that allows only specific types of traffic from specified source IP ranges while blocking everything else. This custom Network ACL offers fine-grained control over traffic, allowing or denying access based on defined rules.

Get 100% Hike!

Master Most in Demand Skills Now!

Creating a Network ACL

  • Log in to the AWS Management Console.
  • Navigate to the VPC service located under Networking and Content Delivery.
Creating a Network ACL
  • Select “Your VPCs” on the left-hand side of the console. In previous discussions, we have established a custom VPC named “Intellipaat.”
Creating a Network ACL
  • On the left-hand side of the console, click on “Network ACLs.”
Creating a Network ACL
  • Choose “Create Network ACL.”
Creating a Network ACL
  • Provide the necessary information to create a Network ACL.
Creating a Network ACL

The screen below confirms the successful creation of the Network ACL.

Creating a Network ACL

EC Council Accredited Certified Ethical Hacking Certification

Network ACLs Vs. Security groups  – What is the Difference?

Network ACLs Vs. Security groups

To start, let’s learn what Security groups are in AWS before we discuss the differences between nacl and security group. Security groups are an important part of AWS network security, serving as virtual firewalls for your Amazon Elastic Compute Cloud (EC2) instances. Here are the following differences given below:

NACL (Network Access Control List) Security Group
It can use rules to say “yes” or “no,” and at the start, it says “no” to everything. You have to create a rule to decide whether to allow or deny something. It only allows rules that say “yes, you can come in,” and by default, it says “no” to everything. You can’t use it to say “no” when someone wants to make a connection.
It works in a way where what you do for incoming stuff doesn’t automatically apply to outgoing stuff. For example, if you decide to let things come in through port 80, you have to decide separately if things can go out through port 80. It’s like having a two-way conversation. When you make a rule for people coming in, it automatically applies the same rule to people going out. For example, if you want to let people in through port 80, you also need to set a rule to let them out through port 80.
It’s linked to a subnet. It’s linked to or connected to an EC2 instance.
Rules are looked at one by one, starting with the rule with the smallest number. All the rules are checked first to decide if traffic should be allowed.
NACL is automatically used for all the instances that are connected to a network. A Security group is used for an instance only when you say which group to use when you start the instance.
It’s like the second line of defense. It’s like the first wall of protection.

Conclusion

Network Access Control Lists (NACLs) are like invisible yet indispensable gatekeepers of your AWS cloud infrastructure. You can use these versatile components to control network traffic in your virtual networks carefully. This fine-grained security layer allows only authorized communication to flow in and out. AWS users can use default NACLs for basic protection and custom NACLs for more specific security policies. This gives them the ability to create strong defenses against potential threats.

NACLs are important for AWS network security. They work with security groups, which handle different security aspects. NACLs control traffic at the subnet level, using IP addresses and rules. Security groups manage access at the instance level, based on group memberships. These tools work together to defend against cyber threats. AWS users can feel confident navigating the cloud securely and protecting their assets.

Frequently Asked Questions (FAQs)

What is the difference between NACL and Security groups in AWS?

NACL is network-level security for subnets, while Security groups are instance-level firewalls. NACL operates at the subnet level, whereas Security groups work at the instance level.

What is the full form of NACL in networking?

NACL stands for in networking Network Access Control List in AWS.

What is AWS NACL level?

NACL operates at the subnet level within an Amazon Virtual Private Cloud (VPC).

Is NACL stateful or stateless?

NACL is stateless, meaning inbound and outbound rules are separate and do not automatically permit return traffic.

Course Schedule

Name Date Details
Cyber Security Course 14 Dec 2024(Sat-Sun) Weekend Batch View Details
21 Dec 2024(Sat-Sun) Weekend Batch
28 Dec 2024(Sat-Sun) Weekend Batch

About the Author

Lead Penetration Tester

Shivanshu is a distinguished cybersecurity expert and Penetration tester. He specialises in identifying vulnerabilities and securing critical systems against cyber threats. Shivanshu has a deep knowledge of tools like Metasploit, Burp Suite, and Wireshark.