AWS Network Access Control List - What are its Components?

NACL refers to Network Access Control List, which helps provide a layer of security to the Amazon Web Services stack.  

NACL helps in providing a firewall thereby helping secure the VPCs and subnets. It helps provide a security layer which controls and efficiently manages the traffic that moves around in the subnets. It is an optional layer for VPC, which adds another security layer to the Amazon service. 

VPC refers to Virtual private Cloud, which can be visualized as a container that stores subnets. Subnets can be considered as a container, which helps store data.  

Components of NACL

Following are the components of Network Access Control List (NACL): 

• Rule number: Every rule is assigned a unique number. The rule’s priority is also based on the number it is assigned. When it matches to a specific request or traffic, this rule is applied to the request, irrespective of whether another high-numbered rule contradicts it or not.  

Rules are created with specific increments, like the difference between 2 rules is either 1,10, 100 and all the rules created have this same difference.  

• Type: This tells about the type of traffic, like SSH, HTTP, HTTPS.  
• Protocol: Protocol is a set of rules, that is applied to every request, ex: http, https, ICMP, SSH. 
• Portrange: The listening port, which takes in the request from the user, such as HTTP is associated with port 80.  
• Inboundrules: Also known as source. These rules talk about the source from where the request or traffic is coming from, and about the destination port/ the port through which the response is sent.  
• Outboundrules: Also known as destination. These rules talk about where the response should be sent and about the destination port.  
• Allow/Deny: Whether the specific traffic has to be allowed or denied.  

There are two types of NaCl: 

1. Customized NACL: It can also be understood as a user-defined NACL, and its inherent characteristic is to deny any incoming and outgoing traffic until a rule is added to handle the traffic.  
2. Default NACL: This is the opposite of customized NACL, which allows all the traffic to flow in and out of the network. It also comes with a specific rule which is associated with a rule number, and it can’t be modified or deleted. When the request doesn’t match with its associated rule, the access to it is denied. When a rule is added or removed, changes are automatically applied to the subnets which are associated with it.  

Let us consider the below use case: 

When a website needs to be accessed, the request from the user has to hit the right port, and the website has to access the database and by extracting the appropriate data, it has to give back a response to the user.  

The VPC comes in-built with a default NACL, which applies to ipv4 traffic. A custom NACL can be created, which can be associated with a subnet. This customized NACL’s default behaviour is to deny incoming and outgoing ipv4 traffic. It has to be specified rules, so as to behave in a certain way when it receives a request.  

Multiple subnets can be bound with a single NACL, but one subnet can be bound with a single NACL only, at a time.  

Conclusion 

In this post, we saw how a network ACL can be used to secure amazon services.