# NACL A **Network Access Control List (NACL)** is a **stateless firewall** that controls inbound and outbound traffic at the **subnet level**. Unlike **Security Groups**, NACLs evaluate **rules in numerical order**, from **lowest to highest** rule number. โœ” **Use Cases for NACLs** * Blocking malicious IPs or specific traffic types. * Allowing access to specific trusted networks. * Enforcing additional security layers beyond Security Groups. ๐Ÿš€ **SecureCart Use Case**\ SecureCart, an **e-commerce platform**, implements NACLs to **protect its subnets** from unauthorized access, control external communication, and **block malicious traffic**. *** ### **๐Ÿ”น Scenario 1: Block All Traffic from a Malicious IP (Deny)** โœ” SecureCart detects **multiple failed login attempts** from **IP `203.0.113.55`** and wants to block it from accessing any subnet. | **Rule #** | **Type** | **Protocol** | **Port Range** | **Source** / **Destination** | **Action** | | ---------- | ----------- | ------------ | -------------- | ---------------------------- | ---------- | | 100 | All Traffic | ALL | ALL | `203.0.113.55/32` | DENY | โœ… **Best Practice**: Always place **deny rules before allow rules** to prevent unintended access. *** ### **๐Ÿ”น Scenario 2: Allow Internet Access for a Public Subnet (Allow)** โœ” SecureCartโ€™s **frontend web servers** in a **public subnet** need outbound internet access to fetch **external APIs** and software updates. | **Rule #** | **Type** | **Protocol** | **Port Range** | **Destination** | **Action** | | ---------- | -------------------------- | ------------ | -------------- | --------------- | ---------- | | 100 | HTTP (Web Traffic) | TCP | 80 | `0.0.0.0/0` | ALLOW | | 110 | HTTPS (Secure Web Traffic) | TCP | 443 | `0.0.0.0/0` | ALLOW | โœ… **Best Practice**: Ensure that the **associated route table** has a **default route to an Internet Gateway**. *** ### **๐Ÿ”น Scenario 3: Restrict Database Access to Only the Application Subnet (Allow)** โœ” SecureCartโ€™s **MySQL database (RDS instance)** is in a **private subnet**. The **only allowed access** should come from the **application servers in a different subnet**. | **Rule #** | **Type** | **Protocol** | **Port Range** | **Source** | **Action** | | ---------- | ------------ | ------------ | -------------- | -------------------------- | ---------- | | 100 | MySQL/Aurora | TCP | 3306 | `10.0.1.0/24` (App Subnet) | ALLOW | | 120 | All Traffic | ALL | ALL | `0.0.0.0/0` | DENY | โœ… **Best Practice**: Restrict database access to **only necessary subnets** to **reduce attack surface**. *** ### **๐Ÿ”น Scenario 4: Allow VPC Peering Traffic (Allow)** โœ” SecureCart has **two VPCs connected via VPC Peering**. **Application servers in VPC-A** need to access **APIs in VPC-B** over **port 8080**. | **Rule #** | **Type** | **Protocol** | **Port Range** | **Source** | **Action** | | ---------- | --------------- | ------------ | -------------- | --------------------- | ---------- | | 100 | Custom TCP Rule | TCP | 8080 | `10.0.2.0/24` (VPC-B) | ALLOW | โœ… **Best Practice**: Add a **corresponding outbound rule** in **both VPCs** to ensure bidirectional traffic. *** ### **๐Ÿ”น Scenario 5: Deny All Traffic by Default (Deny)** โœ” SecureCart **implements a default deny policy** for better security.\ ๐Ÿšจ **By default, NACLs allow all traffic unless an explicit DENY rule is added**. | **Rule #** | **Type** | **Protocol** | **Port Range** | **Source/Destination** | **Action** | | --------------- | ----------- | ------------ | -------------- | ---------------------- | ---------- | | *Explicit Rule* | All Traffic | ALL | ALL | `0.0.0.0/0` | DENY | โœ… **Best Practice**: This ensures that **only explicitly allowed rules** take effect. *** ### **๐Ÿ”น Scenario 6: Allow Outbound Access for Software Updates (Allow)** โœ” SecureCart's **EC2 instances in private subnets** need **outbound internet access** via a **NAT Gateway**. | **Rule #** | **Type** | **Protocol** | **Port Range** | **Destination** | **Action** | | ---------- | -------- | ------------ | -------------- | --------------- | ---------- | | 100 | HTTP | TCP | 80 | `0.0.0.0/0` | ALLOW | | 110 | HTTPS | TCP | 443 | `0.0.0.0/0` | ALLOW | โœ… **Best Practice**: The **NAT Gateway must be placed in a public subnet** to facilitate outbound traffic. *** ### **๐Ÿš€ Summary** ๐Ÿ”น **Network ACLs (NACLs) provide an additional layer of security** at the **subnet level**, acting as a **stateless firewall**.\ ๐Ÿ”น **Deny rules should be placed before Allow rules** to prevent unintended access.\ ๐Ÿ”น SecureCart uses **NACLs to restrict database access, block malicious IPs, and secure VPC peering**.\ ๐Ÿ”น **Best practices include default deny rules, least privilege access, and proper rule ordering.**