ACLs – Configuring Infrastructure Security – SCS-C02 Study Guide

NACLs

NACLs are a type of security control used in VPC environments that act as a firewall for inbound and outbound traffic at the subnet level. They are stateless, meaning that they apply to all traffic regardless of the connection state.

The primary role of NACLs in VPC security is to provide an additional layer of defense for the VPC by filtering traffic at the subnet level. This can help prevent unauthorized access to resources within the VPC and limit the impact of potential security breaches. NACLs can also be used to implement more granular access controls that are possible with security groups, which are another type of security control used in VPCs.

NACLs are associated with subnets and are evaluated in the order in which they are defined. Each NACL contains a set of rules that specifies the allowed or denied traffic based on criteria such as source IP address, destination IP address, port number, and protocol. NACL rules can be configured to allow or deny inbound and outbound traffic and can be modified as needed to reflect changes in the VPC environment.

Overall, NACLs are an essential component of VPC security and can help provide in-depth defense by complementing other security controls such as security groups and networking routing rules.

For each NACL, there are two fundamental components: inbound rules and outbound rules. These rules control what traffic flows in and out of your subnet at a network level. NACLs are stateless, meaning that they do not keep the state of network connections as security groups do. Instead, NACLs evaluate each packet independently based on the rules you have defined (either inbound or outbound) and make a decision to allow or deny the traffic accordingly.

The following subsections discuss the configuration of NACLs and will help you grasp how they work.

The Details Box

This provides an overview of the NACL itself, showing the VPC association and the number of subnets that the NACL is associated with. It also details the NACL ID, as shown in the following screenshot:

Figure 10.18: The NACL Details screen

To understand the configuration of the NACL itself, you need to look at the inbound and outbound rules.

The Inbound and Outbound Rules Tabs

These sets of rules are used to control what traffic flows into and out of your subnet. The Inbound rules and Outbound rules tabs are comprised of six fields:

Figure 10.19: The NACL Inbound rules tab

  • Rule number: The rule numbers are used to ascertain the order in which the rules are read. When your NACL processes traffic, the rules are read in ascending order until a rule match is found. Considering this, it’s best practice to leave some gaps in your rules to allow you to add more over time without having to move everything around.
  • Type: Here, you can select several common protocol types, such as LDAP, HTTP, and DNS. You can alternatively specify custom TCP, UDP, or ICMP protocols as well.
  • Protocol: Depending on your selection in the previous Type field, you might be able to select a specific protocol (number).
  • Port range: Here, you can enter the port range for any custom protocol entries you selected.
  • Source: Much like the Source entry with your route tables, this can be a network subnet CIDR range, a single IP address using a /32 mask, or exposure to traffic from anywhere using the 0.0.0.0/0 CIDR range.
  • Allow/Deny: With every NACL rule, you must specify whether the traffic that matches this rule should ALLOW or DENY the traffic coming into the subnet.

The final rule in an NACL will always have an explicit deny rule, which will drop all traffic that does not match any rule within the NACL. This safeguard mechanism prevents traffic from getting through to your subnet that you haven’t specified.