Intro:
Here’s twtech
Overview of the Default Network ACL (NACL) in AWS
Focus:
- How Default Network
ACL (NACL) works,
- Default Network ACL (NACL) characteristics,
- Default Network ACL (NACL) behavior,
- Default Network ACL (NACL) best practices.
Breakdown:
- The Concept: Network ACL (NACL),
- Default NACL Characteristics,
- Default NACL Rule Behavior,
- Default NACL in Action,
- NACL vs Security Group Recap,
- Visual: Default NACL in a VPC,
The Concept: Network ACL (NACL)
- A Network Access
Control List (NACL) is an optional stateless firewall
that
controls inbound
and outbound traffic at
the subnet level in a VPC.
- Every VPC automatically
comes with a default NACL, which twtech can modify but
not delete.
Default NACL
Characteristics
|
Attribute |
Description |
|
Automatic Creation |
Every VPC is created with one default
NACL. |
|
Association |
Automatically associated with all
subnets that do not have a custom NACL associated. |
|
Rules |
By default, allows all inbound
and all outbound IPv4 and IPv6 traffic. |
|
Stateless |
Return traffic must be explicitly
allowed by separate rules. (Though
default rules already allow everything.) |
|
Editable |
twtech can add, modify, or delete
rules (except the default “allow
all” rules). |
|
Replaceable |
twtech can replace the default NACL
with a custom one, but the original default NACL remains in the VPC. |
|
Rule Evaluation |
Rules are evaluated in ascending
order by rule number (starting
from the lowest). First match wins. |
Default NACL Rule
Behavior
|
Rule
Type |
Rule
# |
Protocol |
Port
Range |
Source/Destination |
Action |
|
Inbound |
100 |
All |
All |
0.0.0.0/0, ::/0 |
ALLOW |
|
Outbound |
100 |
All |
All |
0.0.0.0/0, ::/0 |
ALLOW |
|
Implicit Deny |
* (none) |
All |
All |
All |
DENY |
NB:
If twtech doesn’t
add any other rules, the default NACL is wide open — all traffic is allowed both ways.
Default NACL in Action
When twteh launchs a VPC and
create subnets, unless it specifies a custom NACL, those subnets inherit
the default NACL.
Example:
- VPC: 10.0.0.0/16
- Subnets:
- Public Subnet (10.0.1.0/24)
- Private Subnet (10.0.2.0/24)
- Default NACL: Allows all inbound/outbound
traffic for both.
This means:
- Internet → EC2 in
public subnet → Allowed
- EC2 in
private subnet → RDS in
private subnet → Allowed
- No traffic
blocked by the NACL layer (only by
Security Groups, if configured).
NACL vs Security Group
Recap
|
Feature |
Security
Group |
NACL |
|
Applies To |
ENI (instance level) |
Subnet level |
|
Statefulness |
Stateful |
Stateless |
|
Default Behavior |
Deny all |
Allow all (default NACL) |
|
Evaluation |
All rules are evaluated |
In order (lowest number first) |
|
Use Case |
Instance-specific protection |
Subnet-level layer of defense |
Visual: Default NACL
in a VPC
Below is a conceptual diagram showing
how the default NACL applies to subnets and how traffic flows through
the VPC.
No comments:
Post a Comment