1.11. Network Access Control Lists (NACLs)

What is a Network Access Control List (NACL) in AWS?

A subnet-level stateless firewall that filters traffic entering and exiting a subnet.

Are NACLs stateful or stateless?

Stateless.

What does stateless mean for NACLs?

They do not track connections. You must define rules for both the request and the response.

What traffic does a NACL filter?

Only traffic crossing the subnet boundary. Intra-subnet traffic is unaffected.

What two sets of rules does a NACL have?

Inbound rules (for traffic entering the subnet) and outbound rules (for traffic leaving the subnet).

Do NACLs allow explicit deny rules?

Yes, NACLs support both explicit allow and deny rules.

How are NACL rules evaluated?

In order of ascending rule number. First match wins, then evaluation stops.

What happens if no rule matches in a NACL?

An implicit deny is applied.

What is the default behavior of a newly created custom NACL?

All traffic is denied by default.

What is the default NACL behavior when a VPC is created?

Allows all traffic in and out by default.

Can a NACL be associated with multiple subnets?

Yes. One NACL can be associated with many subnets.

Can a subnet be associated with multiple NACLs?

No. One subnet can only have one NACL at a time.

Do NACLs understand AWS logical resources like instances or security groups?

No, NACLs only use IPs, CIDRs, ports, and protocols.

Why are NACLs used alongside security groups?

To explicitly deny traffic from known bad IPs or ranges, something SGs cannot do.

What makes configuring NACLs complex in multi-tier architectures?

You need separate inbound and outbound rules on both communicating subnets for both requests and responses.

Why do stateless firewalls often require wide port allowances?

Because ephemeral ports used for responses vary and can't be predicted.

What does an ephemeral port range typically include?

TCP ports 1024–65535 (OS-dependent).

What does associating a NACL with a subnet do?

It applies the NACL’s rules to all traffic entering or leaving that subnet.

Can you explicitly block a bad IP using a NACL?

Yes, using a deny rule with the bad actor’s IP.

What is a Security Group in AWS?

A stateful virtual firewall attached to an elastic network interface (ENI), controlling inbound and outbound traffic.

Are security groups stateful or stateless?

Stateful.

What does stateful mean for security groups?

If a request is allowed, the corresponding response is automatically allowed.

Can security groups have explicit deny rules?

No. They only allow implicit deny — if not allowed, it’s denied.

What happens if you don’t define a rule in a security group?

The traffic is implicitly denied.

What level do security groups apply to?

They are attached to ENIs (Elastic Network Interfaces), not subnets or instances directly.

Can a security group be attached to multiple ENIs?

Yes.

Can you reference another security group in a rule?

Yes. This is called logical referencing.

What is the benefit of referencing a security group in another?

It allows dynamic and scalable permissioning across tiers without managing IPs.

Can a security group reference itself?

Yes, enabling intra-group traffic like cluster coordination or replication.

What traffic direction do security groups evaluate?

Both inbound and outbound. But responses to allowed traffic are auto-allowed.

Can security groups simplify ephemeral port management?

Yes. You don’t need to manage ephemeral port rules — it’s handled automatically.

Do security groups support CIDR-based rules?

Yes, and they also support referencing logical AWS resources.

What’s an example use case for security group self-referencing?

High-availability systems like clustered databases, allowing communication between nodes.

Can you block a specific IP with a security group?

No, you need to use a NACL to explicitly block IPs or CIDR ranges.

Should you use SGs or NACLs to allow traffic?

Use SGs to allow, and NACLs to explicitly deny/block where necessary.

What is a key difference in how NACLs and SGs process rules?

NACLs are processed by rule order (numbered), SGs process all rules and apply the most permissive match.

Which offers finer control over blocking traffic?

NACLs, due to explicit deny support.

Which is more flexible and scalable in dynamic architectures?

Security Groups, especially with logical resource referencing.

What is the default behavior of a security group?

Deny all traffic unless explicitly allowed.

What happens to a new EC2 instance if no SGs are attached?

It will have no access until at least one SG allows traffic.

Can security groups be changed after instance creation?

Yes, they can be added or removed at any time.

What happens if you reference SG-A inside SG-B?

All resources associated with SG-A can access resources associated with SG-B, per the defined rules.