user829174
Reputation: 6362
Amazon VPC NACL default rules evaluation order
With my understanding, NACL (Network Access Control List) is the subnet firewall.
I'm trying to understand what are the defaults when creating a NACL:
- Rule #100 - all ports from all IPs are allowed by default, otherwise
- All is denied
So, bottom line, is all allowed or denied? I know that according to AWS best practices, all access should be disabled by default.
Upvotes: 10
Views: 8339
Answers (1)
John Rotenstein
Reputation: 269490
The rules are evaluated in number order.
As soon as the traffic matches the rule, the Allow/Deny is applied and evaluation ends.
Therefore, the default rule that you show above Allows all traffic. Nothing falls through to the default rule.
This numbered logic is handy for something like this, that denies ICMP traffic, then allows everything else:
Here's one that uses the default rule to only allow HTTPS:
Upvotes: 16
Related Questions
- Why is AWS NACL stateless?
- ACLs Configuration
- IAM policies related to default VPC creation
- Using NACL to Block traffic
- NAT instance and NACL configurations
- Does a security group rule overide NACL in VPC?
- How to create NACL for private subnets?
- AWS NACL - Only works if 0.0.0.0/0 is allowed in incoming and outbound rules
- Why can't I use VPC NACL on tightening up the security?
- Amazon VPC NACL not permitting access on ports 80 and 443