NACL
A Network Access Control List (NACL) is a stateless firewall that controls inbound and outbound traffic at the subnet level. Unlike Security Groups, NACLs evaluate rules in numerical order, from lowest to highest rule number.
โ Use Cases for NACLs
Blocking malicious IPs or specific traffic types.
Allowing access to specific trusted networks.
Enforcing additional security layers beyond Security Groups.
๐ SecureCart Use Case SecureCart, an e-commerce platform, implements NACLs to protect its subnets from unauthorized access, control external communication, and block malicious traffic.
๐น Scenario 1: Block All Traffic from a Malicious IP (Deny)
โ SecureCart detects multiple failed login attempts from IP 203.0.113.55 and wants to block it from accessing any subnet.
Rule #
Type
Protocol
Port Range
Source / Destination
Action
100
All Traffic
ALL
ALL
203.0.113.55/32
DENY
โ Best Practice: Always place deny rules before allow rules to prevent unintended access.
๐น Scenario 2: Allow Internet Access for a Public Subnet (Allow)
โ SecureCartโs frontend web servers in a public subnet need outbound internet access to fetch external APIs and software updates.
Rule #
Type
Protocol
Port Range
Destination
Action
100
HTTP (Web Traffic)
TCP
80
0.0.0.0/0
ALLOW
110
HTTPS (Secure Web Traffic)
TCP
443
0.0.0.0/0
ALLOW
โ Best Practice: Ensure that the associated route table has a default route to an Internet Gateway.
๐น Scenario 3: Restrict Database Access to Only the Application Subnet (Allow)
โ SecureCartโs MySQL database (RDS instance) is in a private subnet. The only allowed access should come from the application servers in a different subnet.
Rule #
Type
Protocol
Port Range
Source
Action
100
MySQL/Aurora
TCP
3306
10.0.1.0/24 (App Subnet)
ALLOW
120
All Traffic
ALL
ALL
0.0.0.0/0
DENY
โ Best Practice: Restrict database access to only necessary subnets to reduce attack surface.
๐น Scenario 4: Allow VPC Peering Traffic (Allow)
โ SecureCart has two VPCs connected via VPC Peering. Application servers in VPC-A need to access APIs in VPC-B over port 8080.
Rule #
Type
Protocol
Port Range
Source
Action
100
Custom TCP Rule
TCP
8080
10.0.2.0/24 (VPC-B)
ALLOW
โ Best Practice: Add a corresponding outbound rule in both VPCs to ensure bidirectional traffic.
๐น Scenario 5: Deny All Traffic by Default (Deny)
โ SecureCart implements a default deny policy for better security. ๐จ By default, NACLs allow all traffic unless an explicit DENY rule is added.
Rule #
Type
Protocol
Port Range
Source/Destination
Action
Explicit Rule
All Traffic
ALL
ALL
0.0.0.0/0
DENY
โ Best Practice: This ensures that only explicitly allowed rules take effect.
๐น Scenario 6: Allow Outbound Access for Software Updates (Allow)
โ SecureCart's EC2 instances in private subnets need outbound internet access via a NAT Gateway.
Rule #
Type
Protocol
Port Range
Destination
Action
100
HTTP
TCP
80
0.0.0.0/0
ALLOW
110
HTTPS
TCP
443
0.0.0.0/0
ALLOW
โ Best Practice: The NAT Gateway must be placed in a public subnet to facilitate outbound traffic.
๐ Summary
๐น Network ACLs (NACLs) provide an additional layer of security at the subnet level, acting as a stateless firewall. ๐น Deny rules should be placed before Allow rules to prevent unintended access. ๐น SecureCart uses NACLs to restrict database access, block malicious IPs, and secure VPC peering. ๐น Best practices include default deny rules, least privilege access, and proper rule ordering.
Last updated