Network Access Control List (NACL) is a collection of firewalls that are placed in front of every subnet. AWS has different kinds of firewalls: web access firewalls, security groups, and NACLs. Security groups are instance firewalls. They protect an instance. An NACL, on the other hand, protects the subnet.
By default, the main NACL is created by AWS when a non-default VPC is created. This NACL is attached to each of the subnets created. The default NACL allows all incoming and outgoing traffic.
An NACL protects the subnets based on the rules specified. An NACL is a stateless firewall, so rules need to be clearly specified for both incoming and outgoing traffic. Each rule has a rule number associated with it, and an NACL processes the rules in ascending order of the rule numbers. Rule numbers can start from 1 and can go up to 65,535. The processing stops if one of the rules meets the condition.
Unlike security groups, an NACL allows for explicit DENY. So, we can both ALLOW and DENY traffic. This comes in handy in more than one situation.
Users can create their own NACL and attach it to the desired subnet in place of the default NACL. For example, if we want only SSH and MySQL traffic to enter a subnet that hosts a MySQL database server, we can write the appropriate NACL and attach it to the subnet, replacing the default NACL.
A sample NACL table is given here:
Rule# | Type | Protocol | Port range | Source | Action | Comments |
100 | SSH | TCP | 22 | 192.168.1.10 | ALLOW | Allow SSH connection |
200 | HTTP | TCP | 80 | ALL | ALLOW | Allow HTTP for all |
300 | HTTPS | TCP | 443 | ALL | ALLOW | Allow HTTPS for all |
400 | SSH | TCP | 22 | ALL | DENY | DENY SSH for all |
* | All Traffic | ALL | ALL | 0.0.0.0/0 | DENY | DENY everything else |