NACL - Networking 101

NACL - Networking 101

Lê Quốc Dũng Lê Quốc Dũng

Lê Quốc Dũng

⚡Backend Java Developer @ FPT Software | Database Developer | AWS Cloud Engineer

Published Sep 25, 2024
+ Follow


Definition

  • NACLs are like a firewall which control traffic from and to subnets.
  • One NACL per subnet, new subnets are assigned the Default NACL.

  • Principal to define NACL rules:
  • Rules have a number (1-32766), higher precedence with a lower number.
  • First rule match will drive the decisions
  • Example: if you define #100 ALLOW 10.0.0.7/32 and #200 DENY 10.0.0.7/32, the IP address will be allowed because rule #100 have higher priority over rule #200.
  • The last rule is an asterisk (*) it denies in case of no rule match
  • AWS recommend adding rules by increment of 100. The reason is that if you want to add rule between them that will fine.

  • The newly create NACLs will deny everything by default.
  • NACL are a great way of blocking a specific IP address at the subnet level.
  • NACL wraps around the subnet for protection.


The rectangle around subnets are NACL.

Default NACL

  • Accept everything inbound/outbound with the subnets it's associated with



Recommended by LinkedIn

Docker Engine v28: Hardening Container Networking by Default
Docker Engine v28: Hardening Container Networking by…
Docker, Inc 1 month ago
Networking Protocols Explained | TryHackMe Networking Essentials
Networking Protocols Explained | TryHackMe Networking…
Motasem Hamdan 2 months ago
Azure Site to VPN - Day 11
Azure Site to VPN - Day 11
Vijayabalan Balakrishnan 2 years ago

Ephemeral ports

  • For two endpoints to establish a connection they must use ports.
  • A client connects a defined port and expects a response on an ephemeral ports
  • Different Operating systems use different port ranges for IANA & MS Windows -> 49152 - 65535, for Linux -> 32768 - 60999



  • The image below illustrates NACL with Ephemeral Ports.



Web Tier

  • Web Subnet (Public): This subnet hosts the web servers (EC2 instances) that are accessible from the internet.
  • Web-NACL: The Network ACL associated with the Web Subnet has the following rules:
  • Outbound Rule: Allows outbound TCP traffic on port 3306 to the Database Subnet CIDR. This rule enables the web servers to communicate with the database server.
  • Inbound Rule: Allows inbound TCP traffic on port 1024-65535 from the DB Subnet CIDR. This rule permits responses from the database server to reach the web servers.

Database Tier

  • DB Subnet (Private): This subnet hosts the database server (Amazon RDS instance) that is not directly accessible from the internet.
  • DB-NACL: The Network ACL associated with the DB Subnet has the following rules:
  • Inbound Rule: Allows inbound TCP traffic on ephemeral ports 3306 from the Web Subnet CIDR. This rule permits the database server to receive request from the web servers.
  • Outbound Rule: Allows outbound TCP traffic on ephemeral ports (1024-65535) to the Web Subnet CIDR. This rule enables the database server to send responses back to the web servers.

Compare NACLs vs Security Groups.



To view or add a comment, sign in

More articles by Lê Quốc Dũng

See all articles

Insights from the community

Others also viewed

Explore topics