How to Use AWS Network ACLs for Subnet Security

Introduction

AWS Network ACLs act as a stateless firewall layer controlling inbound and outbound traffic for subnets. Network ACLs provide an additional security boundary beyond security groups, filtering traffic at the subnet level before it reaches individual resources. This guide explains how to configure, manage, and optimize Network ACLs for robust subnet security.

Understanding Network ACLs proves essential for architects designing multi-tier cloud environments. The stateless nature of NACLs requires explicit rules for both directions of permitted traffic, distinguishing them from stateful security groups.

Key Takeaways

• Network ACLs operate at the subnet level with stateless packet filtering
• Rules are evaluated by rule number in ascending order
• Network ACLs support both allow and deny explicit rules
• Default NACLs allow all traffic; custom NACLs deny all by default
• Security groups and NACLs work together for defense-in-depth

What is AWS Network ACL

AWS Network Access Control Lists (Network ACLs) represent optional security layers for VPCs that control traffic flow into and out of one or more subnets. According to AWS documentation, Network ACLs contain numbered rules evaluated in sequence from lowest to highest.

Each rule specifies a protocol type, port range, and source or destination IP address. Network ACLs apply automatically to all instances within associated subnets without requiring installation on individual EC2 instances.

Network ACLs function as the first line of defense in AWS networking architecture. They establish perimeter security at the subnet boundary, determining which traffic enters or leaves the network segment.

Why Network ACLs Matter

Network ACLs deliver granular control over subnet-level traffic patterns that security groups cannot provide. Organizations requiring compliance frameworks often mandate Network ACL implementation as part of network segmentation strategies.

The ability to explicitly deny traffic before it reaches instances proves critical for blocking known malicious IP ranges. Security groups alone cannot achieve this stateless filtering behavior where return traffic requires explicit permission.

Financial services and healthcare organizations rely on Network ACLs to meet regulatory requirements for network isolation. The ISO 27001 standard emphasizes network segmentation as a fundamental security control.

How Network ACLs Work

Network ACLs evaluate packets using a numbered rule system. When traffic matches a rule, the action (allow or deny) executes immediately without evaluating subsequent rules.

Rule Evaluation Process

Rule processing follows this sequential logic:

1. Packet arrives at subnet interface
2. Evaluate lowest numbered rule matching packet attributes
3. Apply rule action (ALLOW or DENY)
4. Stop processing if match found
5. Use implicit DENY if no rules match

Rule Structure Formula

Each NACL rule follows this format: Rule Number + Protocol + Source/Destination + Port Range + Action. The formula determines evaluation priority and matching criteria.

Example rule configuration: Rule 100 permits TCP port 443 from 0.0.0.0/0 for HTTPS inbound; Rule 200 permits TCP port 1024-65535 to 0.0.0.0/0 for ephemeral outbound responses.

Used in Practice

Implementing Network ACLs for a three-tier web application requires separate subnets for web, application, and database layers. The web subnet NACL permits HTTP/HTTPS from the internet while blocking all other inbound traffic.

Application tier NACLs allow traffic only from the web subnet on specific ports. Database subnet NACLs restrict access exclusively to the application subnet on database ports, preventing direct internet or web tier access.

Organizations commonly configure ephemeral ports (1024-65535) for outbound traffic in Network ACLs. This configuration supports established connection responses without creating persistent openings.

Risks and Limitations

Network ACLs cannot filter traffic between resources within the same subnet. Security groups must handle instance-to-instance traffic inspection within subnet boundaries.

Misconfigured NACLs can inadvertently block legitimate traffic, causing application connectivity failures. The stateless nature demands careful planning of bidirectional rule pairs for allowed communication paths.

Network ACLs do not filter traffic destined for AWS services via VPC endpoints. VPC endpoints use separate security policies independent of subnet NACLs.

Performance impact exists at scale when processing hundreds of NACL rules per subnet. Rule ordering becomes critical for maintaining predictable packet processing latency.

Network ACLs vs Security Groups

Network ACLs and Security Groups serve distinct but complementary functions in AWS security architecture. Understanding their differences guides proper implementation decisions.

Security Groups operate at the instance level with stateful filtering, automatically allowing return traffic for established connections. Network ACLs filter at the subnet level with stateless evaluation requiring explicit bidirectional rules.

Security Groups apply only to instances that explicitly associate with them. Network ACLs apply automatically to all instances within associated subnets without per-instance configuration.

What to Watch

Monitor NACL rule changes through AWS CloudTrail for security audit compliance. Unexpected rule modifications often indicate misconfiguration or unauthorized access attempts requiring immediate investigation.

Default NACLs permit all traffic, creating potential security gaps if organizations unknowingly use default configurations. Always create custom NACLs with explicit deny rules for production environments.

Rule number spacing facilitates future insertions without renumbering entire rule sets. Leave gaps between rule numbers (100, 200, 300) to accommodate additional rules without disrupting existing configurations.

Frequently Asked Questions

Can Network ACLs filter traffic between two EC2 instances in the same subnet?

No, Network ACLs filter traffic crossing subnet boundaries only. Traffic between instances within the same subnet bypasses NACL evaluation entirely.

What happens when a packet matches multiple NACL rules?

The rule with the lowest number takes precedence, and processing stops immediately upon the first match.

Are Network ACLs required for VPC security?

No, Network ACLs are optional. Security groups alone provide sufficient security for many architectures, though defense-in-depth strategies benefit from both layers.

How many rules can a Network ACL contain?

Each Network ACL supports up to 40 rules—20 inbound and 20 outbound. AWS supports increased limits through service quotas upon request.

Do Network ACLs support blocking specific IP addresses?

Yes, explicit DENY rules can block traffic from specific IP addresses or CIDR ranges before allow rules process the traffic.

Can I associate one NACL with multiple subnets?

Yes, a single NACL can associate with multiple subnets within the same VPC, enabling consistent security policies across network segments.

What is the difference between implicit and explicit deny in Network ACLs?

Implicit deny exists when no rule matches incoming traffic—it automatically blocks the packet. Explicit deny uses a rule with DENY action to block specific matching traffic.

Do Network ACLs affect traffic to AWS services like S3?

Traffic through VPC endpoints bypasses NACLs. Endpoint security requires separate endpoint policies and security group configurations.