MemberSeptember 7, 2021 at 8:04 pm
The Network Access Control List (ACL) is an optional security layer for your VPC. It acts as a firewall for controlling traffic flow o and from one or more subnets. Network ACLs can be set up with rules similar to your security groups
Each network ACL includes a rule an * (asterisk) as the rule number. The rule makes sure that if a packet is identified as not matching any of the other numbered rules, traffic is denied. You can’t modify or remove this rule.
For traffic coming on the inbound:
Rule 100 would allow traffic from all sources
Rule * would deny traffic from all sources
Network ACL Rules
- Every subnet in your VPC must be associated with an ACL, failing which the subnet gets automatically associated with your default ACL.
- One subnet can only be linked with one ACL. On the other hand, an ACL can be linked to multiple subnets.
- An ACL has a list of numbered rules that are evaluated in order, starting with the lowest. As soon as a rule matches, traffic is supplied regardless of any higher-numbered rules that may contradict it. AWS recommends incrementing your rules by a factor of 100. This allows for plenty of room to implement new rules at a later date.
- Unlike security groups, ACLs are stateless; responses to allow inbound traffic is subject to the rules for outbound traffic.