NACL's vs Security Groups

Question 1

How many NACL’s can a subnet associate with?

Answer 1

One

Question 2

What’s the default NACL configuration for a VPC?

Answer 2

Your VPC automatically comes with a modifiable default network ACL.

By default, it ALLOWS ALLl inbound and outbound IPv4 traffic and, if applicable, IPv6 traffic.

Question 3

What’s the default custom NACL configuration?

Answer 3

You can create a custom network ACL and associate it with a subnet.

By default, each custom network ACL DENIES ALL inbound and outbound traffic until you add rules.

Question 4

What happens if you don’t explicitly associate a subnet with a NACL?

Answer 4

Each subnet in your VPC must be associated with a network ACL.

If you don’t explicitly associate a subnet with a network ACL, the subnet is automatically associated with the default network ACL.

Question 5

Can you associate a NACL with multiple subnets?

Can you associate a subnet with multiple NACLs?

Answer 5

You can associate a network ACL with multiple subnets; however, a subnet can be associated with only one network ACL at a time.

When you associate a network ACL with a subnet, the previous association is removed.

Question 6

How does AWS recommend you number your NACL rules?

Answer 6

A network ACL contains a numbered list of rules evaluated in order, starting with the lowest numbered rule, to determine whether traffic is allowed in or out of any subnet associated with the network ACL. The highest number that you can use for a rule is 32766.

We recommend that you start by creating rules with rule numbers that are multiples of 100, so that you can insert new rules where you need to later on.

Question 7

Does a NACL have separate in and outbound rules?

Answer 7

Yes

A network ACL has separate inbound and outbound rules, and each rule can either allow or deny traffic.

Question 8

Are NACL’s stateless?

Answer 8

Network ACLs are stateless; responses to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa).

Question 9

What do Security Groups act as a firewall for?

Answer 9

EC2 Instances (as long as an instance is associated with a SG)

They control in/out traffic at the instance level

Question 10

What do Network Access Control Lists act as a firewall for?

Answer 10

Subnets (and so to all instances in the subnets)

they control in/out traffic at the subnet level

Question 11

What do flow logs do?

Where is their data published to?

Answer 11

Capture information about IP traffic going in/out of the network interfaces in the VPC

Data is published to Cloudwatch Logs

Question 12

Can you secure VPC instances with only Security Groups , and add NACL’s as a second layer of defense?

Answer 12

yes

Question 13

Do Security Groups support Allow Rules, Deny Rules or both?

Answer 13

Allow Rules only

Question 14

Do NACLs support allow rules, deny rules, or both?

Answer 14

Both

Question 15

Is return traffic automatically allowed for a Security Group

Answer 15

Yes. Because they are stateful

Question 16

Is return traffic automatically allowed for a NACL?

Answer 16

No. Return traffic must be explicitly allowed because NACLs are stateless

Question 17

Are security groups or NACL’s evaluated first (in terms of incoming traffic?)

Answer 17

NACL’s evaluated first.

If a security group allows http traffic from a source, but nail denies it, the traffic is denied because the NACL is evaluated first