AWS NACL

What is AWS NACL (Network Access Control List)?

A Network Access Control List (NACL) is a security feature in Amazon Web Services (AWS) that helps control inbound and outbound traffic at the subnet level in a Virtual Private Cloud (VPC). NACLs provide an additional layer of security for your VPC resources by controlling the flow of traffic in and out of subnets.It is a stateless firewall that controls traffic in and out of a subnet in an AWS Virtual Private Cloud (VPC). It can be associated with one or more subnets and is used to enforce security rules at the subnet level. NACLs are typically used for additional network segmentation and controlling traffic between subnets within a VPC

Key Features of AWS NACL:

• Stateless: NACLs are stateless, meaning each inbound and outbound request must be explicitly allowed or denied. There is no automatic "state" of a connection like in security groups.
• Subnet-Level Control: NACLs operate at the subnet level and affect all the instances within the associated subnet.
• Allow and Deny Rules: NACLs can allow or deny both inbound and outbound traffic. You can define custom rules based on IP address, protocol, and port.
• Ordered Rule Evaluation: NACLs evaluate rules in a specific order, from lowest to highest rule number. The first rule that matches is applied.

How AWS NACL Works:

Each NACL consists of a set of rules that control the flow of traffic to and from a subnet. Rules in a NACL are evaluated in order, starting with the lowest-numbered rule. If a request matches a rule, the action (allow or deny) is taken, and no further rules are evaluated.

By default, AWS creates a default NACL for every VPC, which allows all inbound and outbound traffic. Custom NACLs, however, begin with no rules, and you must define the necessary rules to control traffic.

Use Cases for AWS NACL:

• Subnet Isolation: Use NACLs to enforce traffic control between public and private subnets.
• Security Layering: Apply additional security by using NACLs alongside Security Groups for more granular control.
• Monitoring and Auditing: Use NACLs to create network-level controls and audit traffic flows within your VPC.

Advantages of AWS NACL:

• Global Impact: A single NACL can be applied to multiple subnets, allowing for consistent traffic control.
• Fine-grained Traffic Control: NACLs provide the ability to control both inbound and outbound traffic on a subnet level, ensuring better security.
• Stateless Nature: The stateless design of NACLs provides simplicity and better visibility into network traffic at the subnet level.

Limitations:

• Statelessness: Because NACLs are stateless, return traffic must be explicitly allowed by a rule, unlike Security Groups, which are stateful.
• Limited Scope: NACLs work only at the subnet level and do not provide instance-specific security like Security Groups.

AWS Network Access Control List (NACL) vs Security Group

How AWS NACL Differs from Security Group

While both NACLs and security groups serve as firewalls in AWS, they differ in several key aspects:

Feature	Network Access Control List (NACL)	Security Group
Scope	Subnet level firewall	Instance level firewall
Statefulness	Stateless (both inbound and outbound rules must be defined)	Stateful (return traffic is automatically allowed)
Rule Evaluation	Rules are evaluated in order, and the first match applies	Rules are evaluated based on the connection; multiple rules can apply
Default Behavior	Default NACL allows all inbound and outbound traffic	Default security group denies all inbound traffic, allows all outbound
Applied to	Subnets	EC2 instances
Direction of Rules	Separate inbound and outbound rules	Only inbound rules (outbound is allowed by default)

Where to Use NACL

AWS NACLs should be used in the following scenarios:

• Network Segmentation: To implement fine-grained security rules between different subnets within a VPC.
• Shared VPC: To isolate traffic between subnets in a shared VPC environment.
• Public/Private Subnet Configuration: To restrict traffic between public and private subnets.
• Layered Security: Use NACLs in combination with security groups for an additional layer of protection.

Precautions to Take Care While Using NACL

When using AWS NACLs, ensure the following:

• Explicit Deny: Always include explicit deny rules to avoid unintentional access. Since NACLs are stateless, return traffic must be explicitly allowed.
• Order of Rules: Be cautious of the rule evaluation order. The first matching rule applies, so make sure more specific rules are placed above more general ones.
• Limit Overlapping Rules: Avoid creating conflicting rules that could inadvertently allow or block traffic.
• Check Default NACL: Default NACLs allow all inbound and outbound traffic. If using a custom NACL, ensure that necessary rules are defined.
• Monitor Traffic: Regularly review and monitor traffic and logs to ensure NACL rules are functioning as expected.

Edge Cases When NACL May Fail

AWS NACLs may fail in the following edge cases:

• Missing Return Traffic Rules: Since NACLs are stateless, not adding rules to allow return traffic can result in failed connections. For example, if you allow inbound traffic but do not allow the corresponding outbound response, the connection will fail.
• Improper Rule Order: The first rule that matches the traffic is applied. If the rules are not ordered properly, traffic may be blocked unexpectedly (for example, a general deny rule is placed above a more specific allow rule).
• Conflicting Rules: Having conflicting allow/deny rules for the same traffic could create unintended access or block access altogether.
• Unintended Blocking of Traffic: Incorrectly applying NACLs to the wrong subnets or misconfigured IP addresses can result in unintentional blocking of legitimate traffic.