1. Home
  2. Training Library
  3. Networking (PAS-C01)

Network Access Control Lists (NACLs)

Contents

keyboard_tab
Course Introduction
1
Introduction
PREVIEW3m 3s
VPC Fundamentals
2
What is a VPC?
PREVIEW2m 25s
3
Subnets
PREVIEW16m 20s
VPC Security and Control
VPC Connectivity
AWS Transit Gateway
Networking and VPC for SAP on AWS
DNS & Content Delivery on AWS
18
Amazon Route 53
PREVIEW6m 12s
Network Access Control Lists (NACLs)
Overview
Difficulty
Beginner
Duration
2h 16m
Students
44
Ratings
5/5
starstarstarstarstar
Description

In this section of the AWS Certified: SAP on AWS Specialty learning path, we introduce you to the various Networking services currently available in AWS that are relevant to the PAS-C01 exam.

Learning Objectives

  • Identify and describe the various Networking services available in AWS
  • Describe how to configure an Amazon Virtual Private Cloud (VPC)
  • Understand how to control network traffic via Security Groups and Network Access Control Lists (NACLs)
  • Describe AWS-managed services for Domain Name System (DNS) and Content Delivery Network (CDN)
  • Understand how the AWS global infrastructure is used in conjunction with services like Route 53, CloudFront, and the AWS Global Accelerator to reduce latency and improve application performance for end-users
  • Identify networking and VPC configuration options for SAP environments running on AWS

Prerequisites

The AWS Certified: SAP on AWS Specialty certification has been designed for anyone who has experience managing and operating SAP workloads. Ideally you’ll also have some exposure to the design and implementation of SAP workloads on AWS, including migrating these workloads from on-premises environments. Many exam questions will require a solutions architect level of knowledge for many AWS services, including AWS Networking services. All of the AWS Cloud concepts introduced in this course will be explained and reinforced from the ground up.

Transcript

Security is a key part of any deployment within AWS, and managing security around your virtual private cloud is no different. So I want to talk to you about a couple of different components here. 

Firstly, I want to talk to you about NACLs which are network access control lists. Now these are essentially virtual network-level firewalls that are associated to each and every subnet, and they help to control both ingress and egress traffic moving in and out of your VPC and between your subnets. So let's just quickly draw out our VPC. Very simple, and let's just draw in a public subnet for example. So this is going to be public. Up here, we'll have our internet gateway attached to our VPC, and obviously, we have a route out to the gateway, which then communicates with the internet. 

So what we can do here to help maintain security is to configure the network access control list associated to this subnet. Now much like route tables, whenever you create a new subnet, it will also associate a network access control list. Now by default, this NACL will allow all traffic, both inbound and outbound, so it's not very secure, so it's a really good practice to configure your NACLs to only allow the traffic that you want to come in and out of your subnet. 

Now with this being a public subnet, we'll probably have some web servers in here talking over HTTP and HTTPS, so let's look at the inbound network access control list that could be associated to this subnet. Now as you can see, there's a number of different fields. We have the rule number, the type, the protocol, port range, source, and allow or deny. Now the rule numbers allow you to specify what order the rules will appear inside the NACL, and as soon as traffic hits one of these rule where it matches all of the type, protocol, port range, and source, et cetera, it will carry out the action at the end, whether that is allow or deny. 

So let's look at the requirements required to match this rule here. The type of traffic will need to be HTTP under port 80 using the TCP protocol, and again, the port range is 80 as that's what used for HTTP. Now the source can be any IP address, so any IP address running HTTP coming into our subnet will be allowed. So as long as they're running this protocol, then the traffic will be allowed inbound into our public subnet. 

Now let's look at the second rule. Now the second rule uses HTTPS using the TCP protocol using port 443, and again, any source, and the action will be allowed. Now the last rule here, now this is a default rule that's applied at the end of every network access control list, and that's why it doesn't have a rule number, and it states that all traffic using any protocol in any port range from any IP address, then deny that access. So this rule is kind of a cover rule. So basically, what that allows you to do is ensure that any traffic that doesn't meet the rules that you've entered is deleted and denied access to your subnet. 

So with this in mind, the only traffic allowed in our public subnet is essentially HTTP and HTTPS, which is exactly what we want for our web servers here, and all other traffic will be denied. So that's the inbound NACL. Let's now take a look at the outbound. Now the field types are all exactly the same other than this one here. This has a destination whereas on the inbound, it has the source. So on the outbound, we restrict traffic against its destination. 

So the first rule we have here says any traffic using any protocol in any port range going to any destination, then allow that traffic. Anything else should be denied, but in this case, there won't be anything else because this outbound rule is essentially saying send any traffic you want to using any protocol out from this subnet to any destination. 

Now an important point to make about NACLs is that they are stateless, and this means that any response traffic generated from a request will have to be explicitly allowed and configured in either the inbound or the outbound ruleset, depending on where the response is coming from. Now again, much like route tables, you can have the same NACL applied to a number of subnets, but only a single NACL can be associated to one subnet. So network access control lists are a great way to control traffic that comes into and out of a particular subnet. 

Let me now talk about security groups, and these are another method of controlling traffic, but this time, they work at the instance level rather than the network level like NACLs do.

About the Author
Students
198934
Labs
1
Courses
192
Learning Paths
132

Stuart has been working within the IT industry for two decades covering a huge range of topic areas and technologies, from data center and network infrastructure design, to cloud architecture and implementation.

To date, Stuart has created 150+ courses relating to Cloud reaching over 180,000 students, mostly within the AWS category and with a heavy focus on security and compliance.

Stuart is a member of the AWS Community Builders Program for his contributions towards AWS.

He is AWS certified and accredited in addition to being a published author covering topics across the AWS landscape.

In January 2016 Stuart was awarded ‘Expert of the Year Award 2015’ from Experts Exchange for his knowledge share within cloud services to the community.

Stuart enjoys writing about cloud technologies and you will find many of his articles within our blog pages.