Network Access Control Lists

In AWS, Network Access Control Lists (NACLs) provide an additional layer of security for your VPC (Virtual Private Cloud) by acting as a firewall for traffic at the subnet level.

NACLs are stateless, which means that they evaluate each packet in isolation and do not maintain connection state information. When a packet is received at a subnet associated with a NACL, the NACL evaluates the inbound rules in order, and then evaluates the outbound rules in order, to determine whether to allow or deny the traffic.

Each NACL has a set of inbound and outbound rules that you can configure to control traffic flow. The rules consist of a rule number, a traffic type (such as HTTP or SSH), and an action (allow or deny). You can also specify a source or destination IP address range for the traffic, as well as a protocol and port range.

NACLs are applied to subnets on a number-by-number basis, meaning that each subnet in your VPC can be associated with a different NACL. When a packet enters a subnet, the NACL for that subnet is evaluated to determine whether to allow or deny the traffic.

It’s important to note that NACLs are not a substitute for security groups, which are a more fine-grained and dynamic way of controlling network traffic at the instance level. Instead, NACLs are a complement to security groups, providing an additional layer of security at the subnet level.