# NACL A **Network Access Control List (NACL)** is a **stateless firewall** that controls inbound and outbound traffic at the **subnet level**. Unlike **Security Groups**, NACLs evaluate **rules in numerical order**, from **lowest to highest** rule number. โœ” **Use Cases for NACLs** * Blocking malicious IPs or specific traffic types. * Allowing access to specific trusted networks. * Enforcing additional security layers beyond Security Groups. ๐Ÿš€ **SecureCart Use Case**\ SecureCart, an **e-commerce platform**, implements NACLs to **protect its subnets** from unauthorized access, control external communication, and **block malicious traffic**. *** ### **๐Ÿ”น Scenario 1: Block All Traffic from a Malicious IP (Deny)** โœ” SecureCart detects **multiple failed login attempts** from **IP `203.0.113.55`** and wants to block it from accessing any subnet. | **Rule #** | **Type** | **Protocol** | **Port Range** | **Source** / **Destination** | **Action** | | ---------- | ----------- | ------------ | -------------- | ---------------------------- | ---------- | | 100 | All Traffic | ALL | ALL | `203.0.113.55/32` | DENY | โœ… **Best Practice**: Always place **deny rules before allow rules** to prevent unintended access. *** ### **๐Ÿ”น Scenario 2: Allow Internet Access for a Public Subnet (Allow)** โœ” SecureCartโ€™s **frontend web servers** in a **public subnet** need outbound internet access to fetch **external APIs** and software updates. | **Rule #** | **Type** | **Protocol** | **Port Range** | **Destination** | **Action** | | ---------- | -------------------------- | ------------ | -------------- | --------------- | ---------- | | 100 | HTTP (Web Traffic) | TCP | 80 | `0.0.0.0/0` | ALLOW | | 110 | HTTPS (Secure Web Traffic) | TCP | 443 | `0.0.0.0/0` | ALLOW | โœ… **Best Practice**: Ensure that the **associated route table** has a **default route to an Internet Gateway**. *** ### **๐Ÿ”น Scenario 3: Restrict Database Access to Only the Application Subnet (Allow)** โœ” SecureCartโ€™s **MySQL database (RDS instance)** is in a **private subnet**. The **only allowed access** should come from the **application servers in a different subnet**. | **Rule #** | **Type** | **Protocol** | **Port Range** | **Source** | **Action** | | ---------- | ------------ | ------------ | -------------- | -------------------------- | ---------- | | 100 | MySQL/Aurora | TCP | 3306 | `10.0.1.0/24` (App Subnet) | ALLOW | | 120 | All Traffic | ALL | ALL | `0.0.0.0/0` | DENY | โœ… **Best Practice**: Restrict database access to **only necessary subnets** to **reduce attack surface**. *** ### **๐Ÿ”น Scenario 4: Allow VPC Peering Traffic (Allow)** โœ” SecureCart has **two VPCs connected via VPC Peering**. **Application servers in VPC-A** need to access **APIs in VPC-B** over **port 8080**. | **Rule #** | **Type** | **Protocol** | **Port Range** | **Source** | **Action** | | ---------- | --------------- | ------------ | -------------- | --------------------- | ---------- | | 100 | Custom TCP Rule | TCP | 8080 | `10.0.2.0/24` (VPC-B) | ALLOW | โœ… **Best Practice**: Add a **corresponding outbound rule** in **both VPCs** to ensure bidirectional traffic. *** ### **๐Ÿ”น Scenario 5: Deny All Traffic by Default (Deny)** โœ” SecureCart **implements a default deny policy** for better security.\ ๐Ÿšจ **By default, NACLs allow all traffic unless an explicit DENY rule is added**. | **Rule #** | **Type** | **Protocol** | **Port Range** | **Source/Destination** | **Action** | | --------------- | ----------- | ------------ | -------------- | ---------------------- | ---------- | | *Explicit Rule* | All Traffic | ALL | ALL | `0.0.0.0/0` | DENY | โœ… **Best Practice**: This ensures that **only explicitly allowed rules** take effect. *** ### **๐Ÿ”น Scenario 6: Allow Outbound Access for Software Updates (Allow)** โœ” SecureCart's **EC2 instances in private subnets** need **outbound internet access** via a **NAT Gateway**. | **Rule #** | **Type** | **Protocol** | **Port Range** | **Destination** | **Action** | | ---------- | -------- | ------------ | -------------- | --------------- | ---------- | | 100 | HTTP | TCP | 80 | `0.0.0.0/0` | ALLOW | | 110 | HTTPS | TCP | 443 | `0.0.0.0/0` | ALLOW | โœ… **Best Practice**: The **NAT Gateway must be placed in a public subnet** to facilitate outbound traffic. *** ### **๐Ÿš€ Summary** ๐Ÿ”น **Network ACLs (NACLs) provide an additional layer of security** at the **subnet level**, acting as a **stateless firewall**.\ ๐Ÿ”น **Deny rules should be placed before Allow rules** to prevent unintended access.\ ๐Ÿ”น SecureCart uses **NACLs to restrict database access, block malicious IPs, and secure VPC peering**.\ ๐Ÿ”น **Best practices include default deny rules, least privilege access, and proper rule ordering.** --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://awsinpractice.itassist.com/study-group/aws-certified-solutions-architect-associate/domain-1-design-secure-architectures/task-statement-1.2-design-secure-workloads-and-applications/nacl.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.