69. Access Control List (ACL)

Network ACL is created by default when we create VPC and called as ‘Default Network ACL’. Every time we add a subnet to VPC, its going to be associated with our default NACL. We can then associate the subnet with a NACL but a subnet itself can only be associated with only one NACL at any given time. NACL can have multiple subnets on them.

NACL always act first before Security groups.

i. VPC automatically comes with a default NACL and by default it allows all outbound and inbound traffic.
ii. We can create custom NACLs. By default, each custom n/w ACL denies all inbound and outbound traffic until we add rules.
iii. Each subnet in VPC must be associated with a NACL. If we dont explicitly associate a subnet with a NACL, the subnet is automatically associated with the default NACL.
iv. We can block IP addresses using NACLs but not via security groups.
v. We can associate a NACL with multiple subnets. However a subnet can be associated with only one NACL at a time. When we associate a NACL with a subnet, the previous association is removed.
vi. NACLs contain a numbered list of rules that is evaluated in chronological order starting with the lowest numbered rule.
vii. NACLs have separate inbound and outbound rules and each rule can either allow or deny traffic.
viii. NACLs are stateless, responses to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa)