Network Access Control List

NACLs acts as a virtual firewall at the subnet level

VPCs automatically get a default NACLs

Subnets are associated with NACLs. Subnets can only belong to a single NACL.

Each NACL contains a set of rules that allow or deny traffic into (inbound) and out of (outbound) subnets

Rule # determines the order order of evaluation. From lowest to highest. The highest rule # can be 32755 and its recommended to work in 10 or 100 increments.

You can allow or deny traffic. You could block a single IP address. (You cannot do this with Security Groups)

NACLs - Use Case

We determine there is a malicious actor at a specific IP address is trying to access our instances so we block their IP

We never need to SSH into instances so we add a DENY for these subnets. This is just an additional measue in case our Security Groups SSH port was left open.