Network Access Control List (NACL)

Question 1

What are NACLs?

Answer 1

They are a type of security filters (like firewalls) that can filter traffic as it enters or leaves a subnet.

Question 2

What traffic can a NACL control/filter?

Answer 2

Traffic that enters/leaves a subnet

Question 3

To what network conponent are attached?

Answer 3

To subnets

Question 4

Can NACLs be associated with resources?

Answer 4

No, they are associated with subnets

Question 5

Do VPCs have default NACLs associated with them?

Answer 5

Yes, they are associated with all subnets of that VPC by default.

Question 6

What do NACLs do when 2 EC2 instances in a subnet want to communicate?

Answer 6

Nothing, because they interact only with data leaving and entering subnets.

Question 7

What types of sets of rules do NACLs have?

Answer 7

INBOUND rules and OUTBOUND rules

Question 8

How do NACLs manage multiple rules? Is there any prioritization?

Answer 8

Yes, there is a priority rule.

The lower the rule number, the higher the priority.

Question 9

What happens when a set of rules is matched by the NACL? Can NACLs consider multiple rules?

Answer 9

No, once a rule is matched, the NACL stops processing for that piece of traffic.

Question 10

What types of actions can you specify in NACL rules?

Answer 10

(Explicitly) ALLOW or DENY

Question 11

What fields can you find in NACL rules?

Answer 11

1. Type
2. Protocol: tcp, udp, icmp
3. Port range
4. For inbound rules: source
5. For outbound rules: destination

Question 12

What protocols are supported in NACLs?

Answer 12

tcp, udp or icmp

Question 13

Define protocol and port range for SSH traffic

Answer 13

tcp port 22

Question 14

Define protocol and port range for http traffic

Answer 14

tcp port 80

Question 15

Define protocol and port range for https traffic

Answer 15

tcp port 443

Question 16

Define protocol and port range for ping traffic

Answer 16

icmp, no port

Question 17

Is there a default rule in NACLs in case no explicit rule sets exist?

Answer 17

Yes, there a rule at the bottom ‘*’, it is the default implicit deny and another rule with number 100 (EXPLICIT ALLOW)

Question 18

What happens if no rules are matched for given traffic?

Answer 18

A default rule is applied –> Implicit DENY

Question 19

What is the most important feature of why NACLs are used?

Answer 19

They can EXPLICITLY ALLOW or DENY traffic.

Question 20

Can the ‘*’ rule or implicit DENY be removed?

Answer 20

No, it can never be removed

Question 21

Can the default rule #100 or explicit ALLOW be removed or adjusted?

Answer 21

Yes

Question 22

Are NACLs designed to block traffic by default?

Answer 22

No, they have 2 rules, one Explicit ALLOW and one Implicit DENY. As long as you have the Explicit ALLOW (#100) in your rules, all the traffic will be allowed by default.

Question 23

What is one of the disadvantages of using NACLs?

Answer 23

They are stateless and each stream of traffic needs to be configured with individual rules (request + response streams)

Question 24

What data do NACLs filter?

Answer 24

Data crossing subnets

Question 25

What is a common use for NACLs?

Answer 25

Blocking particular things, deny traffic to bad IPs/nets.

Question 26

How many NACLs can you assign to a subnet?

Answer 26

Only one at a time.

Question 27

Explain the Priority to process rules when using NACLs

Answer 27

NACLs are processed in order starting at the lowest rule number until it gets to the catch all. A rule with a lower rule number will be processed before another rule with a higher rule number.