Understanding Network ACLs in AWS VPC

all aws aws networking aws vpc Feb 16, 2024


When working with AWS VPC (Virtual Private Cloud), one of the fundamental components we'll encounter is the Network Access Control List (Network ACL or NACL). It plays a crucial role in helping us secure our AWS environment by controlling the traffic that enters and exits our subnets. In this blog post, we'll break down what Network ACLs are, how they work, and some best practices for using them effectively.

What is a Network ACL?

A Network ACL is an optional layer of security for our VPC that acts as a firewall for controlling traffic at the subnet level. Unlike security groups that operate at the instance level, Network ACLs examine and filter traffic entering and leaving every subnet within our VPC. They provide an additional layer of security to our cloud environment.

How Does a Network ACL Work?

Network ACLs work by evaluating traffic based on rules that we define. These rules either allow or deny traffic based on various criteria, such as IP address, port number, and protocol type. Here's a simplified breakdown of how it works:

  1. Inbound and Outbound Rules: Network ACLs contain separate lists of inbound and outbound traffic rules. Inbound rules control the traffic coming into the subnet, while outbound rules manage the traffic leaving the subnet.

  2. Stateless Nature: Unlike security groups, Network ACLs are stateless. This means that they do not automatically allow return traffic. We must explicitly define both inbound and outbound rules for the traffic we want to permit or deny.

  3. Rule Evaluation: Rules in a Network ACL are processed in numerical order, starting with the lowest number (highest priority). As soon as a rule matches the traffic, it's either allowed or denied, and no further rules are evaluated.

  4. Default and Custom Network ACLs: Every VPC comes with a default Network ACL that allows all inbound and outbound traffic. We can create custom Network ACLs with rules that fit your specific security requirements.

Default rules

Every VPC comes with a default Network ACL that allows all inbound and outbound traffic.

Default inbound rules

Default outbound rules

Subnet Association with Network ACLs

Network ACLs are stateless filters that control inbound and outbound traffic at the subnet level. Each subnet in your VPC must be associated with a Network ACL; if not explicitly associated, it uses the VPC's default Network ACL.

How Subnet Association Works with Network ACLs:

  • One-to-One Relationship: While a Network ACL can be associated with multiple subnets, a subnet can only be associated with one Network ACL at a time.
  • Traffic Filtering: We can implement varied access control policies across our VPC by associating different Network ACLs with different subnets. This is particularly useful for creating demarcated zones within our VPC, such as a public-facing web server zone with more permissive access and a database zone with restricted access.
  • Default association: By default, when a subnet is created in an AWS VPC, it is automatically associated with the VPC's default NACL. We can, however, create a new NACL and change the association. 

Best Practices for Using Network ACLs

To make the most of Network ACLs in securing your AWS environment, consider the following best practices:

  1. Least Privilege Principle: Apply the least privilege principle by only allowing traffic that is necessary for your application to function. Deny all other traffic by default.

  2. Separate Environments: Use different Network ACLs for different subnets that host various parts of your environment, such as development, testing, and production. This separation enhances security by limiting potential attack surfaces.

  3. Log and Monitor Traffic: Utilize AWS CloudWatch and VPC Flow Logs to monitor and log the traffic that your Network ACLs allow and deny. This can help you identify and respond to suspicious activities quickly.

  4. Regularly Review Rules: As your environment changes, regularly review and update our Network ACL rules to ensure they still meet our security needs.

  5. Emergency Blocks: In case of an attack or suspicious activity, we can quickly update a Network ACL to block the specific traffic, providing an immediate but temporary security measure.


Network ACLs are a powerful tool in your AWS security arsenal, offering an additional layer of protection at the subnet level. By understanding how they work and following best practices, you can significantly enhance the security of your VPC. Remember, security in the cloud is a shared responsibility, and utilizing Network ACLs effectively is a vital part of securing your AWS environment.

Stay connected with news and updates!

Join our mailing list to receive the latest news and updates from our team.
Don't worry, your information will not be shared.

We hate SPAM. We will never sell your information, for any reason.