NACL
A Network Access Control List (NACL) is a stateless firewall that controls inbound and outbound traffic at the subnet level. Unlike Security Groups, NACLs evaluate rules in numerical order, from lowest to highest rule number.
✔ Use Cases for NACLs
Blocking malicious IPs or specific traffic types.
Allowing access to specific trusted networks.
Enforcing additional security layers beyond Security Groups.
🚀 SecureCart Use Case SecureCart, an e-commerce platform, implements NACLs to protect its subnets from unauthorized access, control external communication, and block malicious traffic.
🔹 Scenario 1: Block All Traffic from a Malicious IP (Deny)
✔ SecureCart detects multiple failed login attempts from IP 203.0.113.55 and wants to block it from accessing any subnet.
Rule #
Type
Protocol
Port Range
Source / Destination
Action
100
All Traffic
ALL
ALL
203.0.113.55/32
DENY
✅ Best Practice: Always place deny rules before allow rules to prevent unintended access.
🔹 Scenario 2: Allow Internet Access for a Public Subnet (Allow)
✔ SecureCart’s frontend web servers in a public subnet need outbound internet access to fetch external APIs and software updates.
Rule #
Type
Protocol
Port Range
Destination
Action
100
HTTP (Web Traffic)
TCP
80
0.0.0.0/0
ALLOW
110
HTTPS (Secure Web Traffic)
TCP
443
0.0.0.0/0
ALLOW
✅ Best Practice: Ensure that the associated route table has a default route to an Internet Gateway.
🔹 Scenario 3: Restrict Database Access to Only the Application Subnet (Allow)
✔ SecureCart’s MySQL database (RDS instance) is in a private subnet. The only allowed access should come from the application servers in a different subnet.
Rule #
Type
Protocol
Port Range
Source
Action
100
MySQL/Aurora
TCP
3306
10.0.1.0/24 (App Subnet)
ALLOW
120
All Traffic
ALL
ALL
0.0.0.0/0
DENY
✅ Best Practice: Restrict database access to only necessary subnets to reduce attack surface.
🔹 Scenario 4: Allow VPC Peering Traffic (Allow)
✔ SecureCart has two VPCs connected via VPC Peering. Application servers in VPC-A need to access APIs in VPC-B over port 8080.
Rule #
Type
Protocol
Port Range
Source
Action
100
Custom TCP Rule
TCP
8080
10.0.2.0/24 (VPC-B)
ALLOW
✅ Best Practice: Add a corresponding outbound rule in both VPCs to ensure bidirectional traffic.
🔹 Scenario 5: Deny All Traffic by Default (Deny)
✔ SecureCart implements a default deny policy for better security. 🚨 By default, NACLs allow all traffic unless an explicit DENY rule is added.
Rule #
Type
Protocol
Port Range
Source/Destination
Action
Explicit Rule
All Traffic
ALL
ALL
0.0.0.0/0
DENY
✅ Best Practice: This ensures that only explicitly allowed rules take effect.
🔹 Scenario 6: Allow Outbound Access for Software Updates (Allow)
✔ SecureCart's EC2 instances in private subnets need outbound internet access via a NAT Gateway.
Rule #
Type
Protocol
Port Range
Destination
Action
100
HTTP
TCP
80
0.0.0.0/0
ALLOW
110
HTTPS
TCP
443
0.0.0.0/0
ALLOW
✅ Best Practice: The NAT Gateway must be placed in a public subnet to facilitate outbound traffic.
🚀 Summary
🔹 Network ACLs (NACLs) provide an additional layer of security at the subnet level, acting as a stateless firewall. 🔹 Deny rules should be placed before Allow rules to prevent unintended access. 🔹 SecureCart uses NACLs to restrict database access, block malicious IPs, and secure VPC peering. 🔹 Best practices include default deny rules, least privilege access, and proper rule ordering.
Last updated