Amazon-VPC [SOLVED]: Amazon VPC NACL default rules evaluation order

Amazon-VPC [SOLVED]: Amazon VPC NACL default rules evaluation order

Home Forums Amazon Web Services Amazon VPC Amazon-VPC [SOLVED]: Amazon VPC NACL default rules evaluation order

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #166025

    Cloudy Point
    Keymaster

    QuestionQuestion

    With my understanding, NACL (Network Access Control List) is the subnet firewall.

    I’m trying to understand what are the defaults when creating a NACL:

    • Rule #100 – all ports from all IPs are allowed by default, otherwise
    • All is denied

    So, bottom line, is all allowed or denied? I know that according to AWS best practices, all access should be disabled by default.

    Rules

    #166026

    Cloudy Point
    Keymaster

    Accepted AnswerAnswer

    The rules are evaluated in number order.

    As soon as the traffic matches the rule, the Allow/Deny is applied and evaluation ends.

    Therefore, the default rule that you show above Allows all traffic. Nothing falls through to the default rule.

    This numbered logic is handy for something like this, that denies ICMP traffic, then allows everything else:

    NACL rules

    Here’s one that uses the default rule to only allow HTTPS:

    NACL rule

    Source: https://stackoverflow.com/questions/45296616/amazon-vpc-nacl-default-rules-evaluation-order
    Author: John Rotenstein
    Creative Commons License
    This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.