VPC NACLs Flashcards
What is a Network Access Control List (NACL)?
A NACL is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets.
How do NACLs operate in AWS?
NACLs operate at the subnet level and provide a rule-based tool for controlling network traffic. They support both allow and deny rules and are stateless, meaning responses to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa).
What distinguishes a NACL from a Security Group?
NACLs are stateless, apply to an entire subnet, and can evaluate a set of rules to deny or allow traffic. In contrast, Security Groups are stateful, apply to individual instances, and by default, deny all inbound traffic while allowing all outbound.
How are rules evaluated in a NACL?
Rules in a NACL are evaluated in order starting from the lowest numbered rule to the highest. This allows you to finely tune traffic rules by placing more specific rules at lower numbers.
What types of rules can you set in a NACL?
You can set both inbound and outbound traffic rules in a NACL, specifying whether to allow or deny traffic based on protocols, source IP addresses, destination IP addresses, and ports.
Can a VPC have multiple NACLs?
Yes, a VPC can have multiple NACLs. Each subnet in a VPC must be associated with a NACL, but you can create custom NACLs and associate them with specific subnets as needed.
What happens to traffic that does not match any NACL rule?
Traffic that does not match any rule in a NACL is automatically denied, as NACLs apply a default deny all” rule if no match is found within the numbered rules.”
Is it possible to associate a subnet with more than one NACL?
No, a subnet can be associated with only one NACL at a time. However, you can change which NACL a subnet is associated with at any time.
What is the purpose of using NACLs in a VPC?
The purpose of using NACLs in a VPC is to add an additional layer of security that helps to control traffic entering and leaving subnets within a VPC, enhancing the network’s security posture against unauthorized access or attacks.
How does one configure NACLs for a new subnet in AWS?
When a new subnet is created in AWS, it is automatically associated with the VPC’s default NACL, which allows all inbound and outbound traffic. You can modify this by either editing the default NACL’s rules or creating a new NACL and associating it with the subnet.
