NACL Cheat Sheet

• Network Access Control List is commonly known as NACL
• VPCs are automatically given a default NACL which allows all outbound and inbound traffic.
• Each subnet within a VPC must be associated with a NACL
• Subnets can only be associated with 1 NACL at a time. Associating a subnet with a new NACL will remove the previous association.
• If a NACL is not explicitly associated witha subnet, the subnet will automatically be associated with the default NACL.
• NACL has inbound and outbound rules (just like Security Groups).
• Rule can either _allow or deny traffic. (unlike Security Groups which can only allow)
• NACLs are STATELESS (incoming rule will not be applied to the outgoing)
• When you create a NACLs it will deny all traffic by default
• NACLs contain a numbered list of rules that gets evaluated in order from lowest to highest.
• If you needed to block a single IP address you could via NACLs (Security Groups cannot deny)