Network Access List
-
It works at subnet level.
-
it is a function performed on implied router to control and manage traffic
-
Network ACL is an optional layer of security for your VPC that act as a firewall for controlling traffic in and out of one or more subnet
-
Your VPC Automatically comes with a modified default network ACL by default it allows all inbound and outbound IPv4 traffic and if applicable IPv6 traffic.
-
You can create a custom network ACL and associates it with a subnet by default
-
Each custom network ACL denies all inbound and outbound traffic by default until you add rules
-
Each subnet in your VPC must be associated with network ACL if you dont explicitly associate a subnet with a network ACL the subnet will automatically associated with the default network ACL
-
ACL is a stateless that is if a traffic is allowed in inbound doesnt mean outbound is allowed automatically.
-
You can associate a network ACL, with multiple subnet, however a subnet can be associated with only one network ACL at a time
-
When you associate a network ACL with a subnet the previous association is removed
-
A network ACL contains a numbered list of rules that we evaluate in order starting with the lowest numbered rule. Show the ACL is executed in the sorted order.
Rule 100 Permit 80 Rule 200 Permit 80 Rule 300 Deny ALLMust be multiple of 100 so that in future you can add any rule if required.
- You can have permit and deny rules in network ACL.
Security Group vs Network ACL
| Security Group | Network ACL |
|---|---|
| Operate at instance level i.e., applies to instance only | Operate at subnet level |
| Support allow rules only | It permits allows as well as deny rules |
| Stateful, return traffic is automatically allowed | Stateless, router traffic must be explicitly allowed by rules |