Navigation

AWS NACLs – Network Access Control Lists

Created On
Last Updated On
byeditor
Print
You are here:
< All Topics

The AWS Network Access Control List (NACL) is a security layer for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets.

 

NACLs vs. Security Groups

 

NACLs and Security Groups (SGs) both have similar purposes. They filter traffic according to rules, to ensure only authorized traffic is routed to its destination.

 

NACLs

 

NACLs are used to control access to network resources. They reside on subnets and evaluate traffic based on defined rules which you set, and use these rules to determine whether or not traffic should be allowed to pass through the subnet.

 

NACLs are “STATELESS” which means they require you to create separate rules for BOTH INCOMING AND OUTGOING traffic. Just because a particular data stream is allowed into the subnet, this doesn’t mean it will automatically be allowed out.

 

NACLs are processed in numerical ie serial order. Thus if you want traffic to be permitted both in and out of a subnet, you have to set network access rules for both directions.

 

NACLs are automatically applied to everything within that subnet, so there is no need to apply NACLs to individual resources as they are created. This means less network admin overhead for managers.

 

 

Security Groups

 

Security Groups apply to EC2 instances and operate like a host-based firewall. As with NACLs they apply rules that determine whether traffic to or from a given EC2 instance should be allowed.

 

This provides for more finely tuned traffic control for resources that have specific network traffic requirements.

 

Security Groups unlike NACLs are stateful; this means that any traffic that is allowed into your EC2 instance will automatically be allowed out again and vice versa.

 

All security groups rules are evaluated according to a default “deny everything unless allowed” policy. This means that if no ALLOW exists, then traffic will be blocked.

 

Security Groups must be applied at the time of resource creation and have to be explicitly configured.

 

 

Similarities and Differences Between NACLs and Security Groups

 

Both NACLs and Security Groups utilize rules that prevent unwanted traffic from accessing your network. The rules themselves also look similar. But a notable difference between them is that NACLs allow for DENY rules to be explicitly created.

 

It is important to ensure that your security group rules and your NACLs are not working against one another. Thus it is important to understand when it is best to use NACLs and when it is best to use SGs.

 

The major difference between them is in where they are applied. NACLs are applied at the SUBNET level, while Security Groups are applied at the EC2 instance level.

 

NACLs protect the network while Security Groups protect the resource.

 

As NACLs are higher up in the architecture, they apply to a much wider set of resources. Any NACL rule you create will therefore impact the operation of every resource located within the subnet.

 

Security Groups on the other hand only affect the EC2 instances to which they are attached.

 

 

When to Use NACLs

 

NACLs are best used sparingly. Because NACLs apply to the full set of resources in a subnet, their impact is wide and substantial.

 

NACLs are most effective for filtering external traffic to internal subnets. They can also be useful for applying traffic controls between the subnets themselves.

 

 

 

Best Practices for Using NACLs

 

Use NACLs sparingly and deploy them based on the function of the subnet they are attached to

 

Keep NACLs simple and only use them to deny traffic if possible

 

Restrict who can create or modify NACLs through IAM rules

 

Build your Security Group rules into your NACLs

 

Ensure that your inbound and outbound rules make sense ie that they match

 

When numbering your NACLs, be sure to leave room for future rules

 

Audit your rules frequently and delete any rules that are unused or redundant

 

Deploy NACLs to also control your subnet-to-subnet traffic and ensure logical separation between them

 

 

NACLS – Essential Points To Remember For Exam

 

One NACL per subnet

 

New subnets always get assigned to a default NACL – this ALLOWS all traffic in and out by default!

 

BUT – newly created NACLS DENY by default! – if last rule is an * (asterisk)

 

Rules are numbered from 1 to 32766  – and LOWEST  numbers have the HIGHEST priority!

 

Number your rules in 100s steps for ease of admin.

 

So if a rule numbered 100 allows and another rule numbered 200 denies for same traffic, then the rule nunber 100 will win – ie the traffic will be allowed. 

 

Remember the basic essential differences between NACLs and SGs

 

 

SGs:

 

operate at EC2 instance level

 

support allow rules only

 

are STATEFUL – which means return traffic is ALWAYS automatically allowed, regardless of rules

 

ALL RULES ARE EVALUATED BEFORE DECIDING WHETHER TO ALLOW TRAFFIC

 

Applies to an EC2 instance when specified

 

 

NACLS:

 

operate at SUBNET level

 

support both ALLOW AND DENY rules

 

are STATELESS – which means return traffic has to be explicitly allowed by setting appropriate NACL rules – using ephemeral ports

 

Rules are evaluated in order from LOWEST to HIGHEST, lowest first match wins

 

Automatically apply to all EC2s in the respective subnet.

 

 

Reachability Analyzer

 

The Reachability Analyzer is an AWS web-dashboard tool you can deploy to check network reachability from a source and to a destination via a specifically named port. There is a cost incurred of currently 10c per check.

 

This is very useful in debugging any SG or NACL traffic problems.

 

 

 

 

Tags:
Table of Contents