3/5/25, 7:51 PM AWS NACL (Network Access Control List) - GeeksforGeeks

AWS NACL (Network Access Control List)

Last Updated : 29 Apr, 2024

Amazon web services provide a wide list of services and makes sure that these services do not
have to compromise with security. AWS takes security with highest priority and provides a
comprehensive set of tools and features to help the users protect their data and applications in
the cloud.

Section 1: What Are Network Access Control Lists (NACLs)?

One such feature of security provided by AWS(Amazon Web Services) is the Network Access
Control List(NACL). This NACL is defined by default for every Virtual Private
Network(VPC). However, you can create custom NACL according to your requirements. These
NACL define inbound and outbound rule for subnets present in VPC. These have almost the
same function as Security Groups the only difference is NACL works in subnet levels and
Security groups are defined for instances and other resources.

Section 2: Why Use NACLs?

Example 1:

Let's take a scenario where you have two VPC(VPC One and VPC Two) and a VPC peering is
established between both the VPCs. Now when a request comes from VPC two for particular
subnet of VPC one, how will the VPC one distinguish it? For this we use NACL. In NACL we
define which traffic is destined to enter and leave subnet One.

Example2:

Suppose you have a VPC and you have two subnets subnet1 and subnet two. Now you want to
give someone permission to work only with subnet two resources. This can be done using
NACL. Only permitted user will be given access to the subnet after verifying their by IP
address. Let's understand with a diagram:

https://www.geeksforgeeks.org/aws-nacl-network-access-control-list/ 1/6
3/5/25, 7:51 PM AWS NACL (Network Access Control List) - GeeksforGeeks

When a VPC is created, a modifiable default NACL is created for the subnets of the VPC. If
we do not intent to use default one, we can explicitly create our own NACL. However, if we
do not explicitly define then a default one gets associated automatically.
The default NACL allows inbound and outbound traffic from anywhere.
A Network ACL can be associated with multiple subnets. However, a subnet can only be
associated with a single NACL. After being associated with one NACL if we try to attach
again then the old association is removed.
NACL contains inbound and outbound rules each with a rule number(1 to 32766). Rules are
then evaluated in order, deciding whether to allow or deny.
5. NACLs are stateless which means the information about old traffic are not saved.

Section 3: Key Concepts and Terminologies

Rule Number: Rules can be numbered starting from 1 to 32766. It is evaluated in ascending
order, which means from lower to higher. If a lower numbered rule is matched with the
traffic, it is applied regardless of any higher numbered rule, contradicting it.
Protocol: You can specify the protocol of the traffic that should match (EX: ICMP,TCP).
Port Number: To specify the listening port.(Ex: Port 80 for HTTP)
Source: This is for inbound rules only to specify the source with what CIDR value is
allowed.
Destination: This is for outbound rules only to specify the destination with what CIDR
value is allowed.
Type: The type of traffic can be All traffic or specific such as "SSH".
Allow/Deny: To Specify whether to allow or deny the traffic.

Section 4: Creating and Managing NACLs

Step 1: In AWS first create a VPC

https://www.geeksforgeeks.org/aws-nacl-network-access-control-list/ 2/6
3/5/25, 7:51 PM AWS NACL (Network Access Control List) - GeeksforGeeks

Step 2: Create subnet and Associate it with a route table

Step 3: Go to NACL, you will find a default NACL

So create one:

https://www.geeksforgeeks.org/aws-nacl-network-access-control-list/ 3/6
3/5/25, 7:51 PM AWS NACL (Network Access Control List) - GeeksforGeeks

Click on create Network ACL

Give a name
To attach it with VPC-> Under VPC choose your VPC
Click on Create

Step 4: Click On the NACL created go to subnet association there click on Edit subnet
association

Step 5: Click the desired subnet and Save changes

https://www.geeksforgeeks.org/aws-nacl-network-access-control-list/ 4/6
3/5/25, 7:51 PM AWS NACL (Network Access Control List) - GeeksforGeeks

Go to inbound rules of the NACL. Click on edit inbound rule

Step 6: In edit rule give rule number-90 for SSH type traffic and give your pc's IP address and
"Deny" the permission.Save Changes

Section 5: Testing NACL

Now create a instance under the same subnet with default security group(in order to understand
how NACL works however the best practice is to use own Security Group)

https://www.geeksforgeeks.org/aws-nacl-network-access-control-list/ 5/6
3/5/25, 7:51 PM AWS NACL (Network Access Control List) - GeeksforGeeks

Now try to ssh into the server through your cmd. You won't be able to SSH into the server due
to restriction by NACL

FAQs On NACL

1. How Does An NACL Differ From A Security Group?

NACLs operate at the subnet level and are stateless, whereas Security Groups operate at
the instance level and are stateful.

2. What are the default rules in an NACL?

By default, AWS NACL has rule number 100 to allow all inbound and outbound traffic.

3. Can NACLs Be Associated With Multiple Subnets?

Yes, you can associate an NACL with one or more subnets within a VPC. This allows you
to apply the same set of rules to multiple subnets.

https://www.geeksforgeeks.org/aws-nacl-network-access-control-list/ 6/6