An AWS Network Access Control List (ACL), often referred to as a Network ACL or simply ACL, is a virtual firewall that controls traffic at the subnet level in Amazon Web Services (AWS). It acts as an optional layer of security that allows you to define rules for controlling inbound and outbound traffic to and from your AWS VPC (Virtual Private Cloud) subnets. Here are the key aspects of AWS Network ACLs:
Key Features and Characteristics
-
Subnet-Level Control:
- Network ACLs are associated with subnets within your VPC, not with individual instances like Security Groups.
- They provide an additional layer of defense by filtering traffic at the subnet boundary.
-
Stateless Filtering:
- Network ACLs are stateless, meaning you must explicitly define rules for both inbound and outbound traffic separately.
- Each rule applies to packets moving in one direction (inbound or outbound) and must be separately defined for the opposite direction.
-
Rule Order and Evaluation:
- Rules are evaluated in order, starting with the lowest numbered rule.
- An explicit allow or deny rule can override rules that come later in the list.
-
Numbering and Structure:
- Each subnet in a VPC has a default Network ACL associated with it.
- You can create custom Network ACLs and associate them with specific subnets within the VPC.
- Rules are defined based on IP protocol (TCP, UDP, ICMP) and port number ranges.
-
Default Behavior:
- By default, a Network ACL denies all inbound and outbound traffic. You must explicitly define rules to allow traffic.
-
Logging and Monitoring:
- You can enable logging on a Network ACL to capture detailed information about traffic flow, which can help in troubleshooting and auditing network activities.
-
Use Cases:
- Security Policies: Implement specific security policies for traffic entering or leaving a subnet, such as allowing only certain IP ranges or protocols.
- Compliance Requirements: Enforce compliance requirements by restricting or auditing traffic flow at the network level.
- Defense in Depth: Provide an additional layer of defense alongside Security Groups to enhance network security within your VPC.
Example Scenario
Let’s consider an example scenario where you have a subnet in your VPC that hosts web servers:
-
Network ACL Rules:
- Allow inbound HTTP (port 80) traffic from any source.
- Allow outbound HTTP (port 80) traffic to any destination.
- Allow outbound HTTPS (port 443) traffic to any destination.
- Deny all other inbound and outbound traffic by default (implicit deny).
-
Implementation:
- You would create a custom Network ACL and associate it with the subnet that contains your web servers.
- Define the above rules in the Network ACL to control the traffic flow according to your security requirements.
Management and Configuration
You can manage Network ACLs using the AWS Management Console, AWS CLI, or AWS SDKs. Here are some common tasks:
- Create a Network ACL: Use the create-network-acl command in AWS CLI to create a new Network ACL.
- Associate a Network ACL with a Subnet: Use the associate-network-acl command to associate a Network ACL with a specific subnet.
- Define Rules: Use commands like create-network-acl-entry (for CLI) or configure rules through the AWS Management Console to define inbound and outbound rules.
By leveraging AWS Network ACLs, you can enhance the security and compliance of your AWS VPC environment by controlling and monitoring network traffic at the subnet level, alongside other AWS security features like Security Groups and IAM policies.
