📖 What is Network ACL?
Network Access Control Lists (Network ACLs) are optional security layers operating at the subnet level that control inbound and outbound traffic. They function as stateless firewalls, evaluating traffic based on defined rules without remembering previous requests, requiring explicit allow rules for both directions.
"The stateless nature of Network ACLs is a key exam differentiator. Remember that deny rules are evaluated before allow rules. Unlike Security Groups, Network ACLs can be used to block traffic based on source/destination IP addresses."
📚 Certification: AWS Certified Solutions Architect - Associate (SAA-C03)
🔑 What are the Key Concepts of Network ACL?
- ▸ Network ACLs operate at the subnet level, controlling traffic entering and leaving all instances within that subnet.
- ▸ They are stateless, meaning rules are not evaluated in the context of previous traffic; both inbound and outbound traffic require explicit rules.
- ▸ Rules are evaluated in numerical order, with lower numbered rules processed first; deny rules are processed before allow rules.
- ▸ Network ACLs can block traffic based on IP address, port number, and protocol, offering granular control beyond Security Groups.
- ▸ Default Network ACLs allow all inbound and outbound traffic, while custom ACLs require explicit configuration for desired traffic flow.
🎯 How does Network ACL appear on the SAA-C03 Exam?
You may be asked to identify the correct AWS service to block a specific IP address range from accessing resources within a particular subnet.
A scenario might describe a requirement to inspect all traffic entering a subnet and block any traffic originating from a known malicious source – determine the best approach.
Expect questions about the difference between Network ACLs and Security Groups, and when to use each for optimal security and network control.
❓ Frequently Asked Questions
When would I use a Network ACL instead of a Security Group?
Use Network ACLs for subnet-level control, blocking specific IP ranges, or when you need a stateless firewall. Security Groups are instance-level and stateful, better for application-level access control.
What happens if no rule matches inbound or outbound traffic in a Network ACL?
By default, if no rule matches, traffic is denied. This is a critical difference from Security Groups, which implicitly allow traffic if no rule explicitly denies it.
How do I troubleshoot Network ACL issues when traffic is unexpectedly blocked?
Review the rule order and ensure explicit allow rules exist for both inbound and outbound traffic. Use VPC Flow Logs to capture traffic data and identify which rule is causing the block.