In Virtual Private Cloud (VPC), an NACL is typically an optional extra layer of security for the VPC. It acts like a firewall for controlling traffic in and out of one or more subnets. A common practice for extra security is to implement NACLs in addition to security groups in the VPC. NACL implements security on subnet level and is stateless in nature. It is configured on subnet level and controls both inbound and outbound traffic.
General characteristics of NACL:
- An NACL is attached to one or more subnets, a single subnet is attached to only one NACL.
- It enforces security on subnet level and is not intended for granular control, rather it enforces the security on all instances of one or more subnets.
- NACL rules are numbered and are evaluated from lowest rule number to the highest rule number.
- An Inbound rule consists of:
- Rule number
- Protocol (Port/ Port range)
- The source of the network (Classless Inter-Domain Routing (CIDR) / Prefix)
- An outbound rule consists of:
- Rule number
- Protocol (Port/ Port range)
- The destination of the network (CIDR / Prefix)
- A rule can have the following actions:
- Allow – Allows traffic
- Deny – Denies
- NACLs are stateless in nature.