Amazon-VPC [SOLVED]: Amazon VPC NACL default rules evaluation order Home › Forums › Amazon Web Services › Amazon VPC › Amazon-VPC [SOLVED]: Amazon VPC NACL default rules evaluation order Tagged: amazon-vpc, amazon-web-services Viewing 2 posts - 1 through 2 (of 2 total) Author Posts August 9, 2017 at 1:57 am #166025 Cloudy PointKeymaster Question With my understanding, NACL (Network Access Control List) is the subnet firewall. I’m trying to understand what are the defaults when creating a NACL: Rule #100 – all ports from all IPs are allowed by default, otherwise All is denied So, bottom line, is all allowed or denied? I know that according to AWS best practices, all access should be disabled by default. August 9, 2017 at 1:57 am #166026 Cloudy PointKeymaster Answer The rules are evaluated in number order. As soon as the traffic matches the rule, the Allow/Deny is applied and evaluation ends. Therefore, the default rule that you show above Allows all traffic. Nothing falls through to the default rule. This numbered logic is handy for something like this, that denies ICMP traffic, then allows everything else: Here’s one that uses the default rule to only allow HTTPS: Source: https://stackoverflow.com/questions/45296616/amazon-vpc-nacl-default-rules-evaluation-orderAuthor: John RotensteinThis work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License. Author Posts Viewing 2 posts - 1 through 2 (of 2 total) You must be logged in to reply to this topic.