Bird
Raised Fist0
AWScloud~5 mins

Network ACLs overview in AWS - Cheat Sheet & Quick Revision

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Recall & Review
beginner
What is a Network ACL in AWS?
A Network ACL (Access Control List) is a security layer for your VPC that controls inbound and outbound traffic at the subnet level. It acts like a firewall to allow or deny traffic based on rules.
Click to reveal answer
intermediate
How does a Network ACL differ from a Security Group?
Network ACLs control traffic at the subnet level and are stateless, meaning return traffic must be explicitly allowed. Security Groups control traffic at the instance level and are stateful, automatically allowing return traffic.
Click to reveal answer
beginner
What does it mean that Network ACLs are stateless?
Stateless means that Network ACLs do not remember previous traffic. If you allow inbound traffic, you must also allow outbound traffic explicitly for the response to pass.
Click to reveal answer
intermediate
What is the default rule behavior in a Network ACL?
By default, Network ACLs allow all inbound and outbound IPv4 traffic and deny all inbound and outbound IPv6 traffic. They have numbered rules evaluated in order from lowest to highest.
Click to reveal answer
beginner
How are Network ACL rules evaluated?
Rules are evaluated in order, starting with the lowest number. The first rule that matches the traffic is applied. If no rules match, the default rule denies the traffic.
Click to reveal answer
What level does a Network ACL control traffic in AWS?
ASubnet level
BInstance level
CRegion level
DAvailability zone level
Which statement about Network ACLs is true?
AThey are stateless and require explicit rules for return traffic.
BThey are stateful and automatically allow return traffic.
CThey only control outbound traffic.
DThey replace Security Groups.
If no Network ACL rule matches the traffic, what happens?
ATraffic is allowed by default.
BTraffic is denied by default.
CTraffic is logged but allowed.
DTraffic is redirected to a Security Group.
How are Network ACL rules processed?
AAll rules are processed simultaneously.
BRules are processed randomly.
CRules are processed in order from lowest to highest number.
DOnly the highest numbered rule is processed.
What is the default Network ACL behavior for IPv4 traffic?
AAllow outbound only.
BDeny all inbound and outbound traffic.
CAllow inbound only.
DAllow all inbound and outbound traffic.
Explain how Network ACLs control traffic in an AWS VPC and how they differ from Security Groups.
Think about where the rules apply and how traffic return is handled.
You got /4 concepts.
    Describe the rule evaluation process in Network ACLs and what happens if no rule matches the traffic.
    Consider the order and default behavior.
    You got /3 concepts.

      Practice

      (1/5)
      1. What is the primary purpose of a Network ACL in AWS?
      easy
      A. To monitor application performance
      B. To manage user permissions for AWS services
      C. To store data securely in the cloud
      D. To control inbound and outbound traffic at the subnet level

      Solution

      1. Step 1: Understand Network ACL function

        Network ACLs act as a firewall controlling traffic entering and leaving subnets.

      2. Step 2: Identify correct purpose

        They specifically control inbound and outbound traffic at the subnet level, not user permissions or data storage.

      3. Final Answer:

        To control inbound and outbound traffic at the subnet level -> Option D

      4. Quick Check:

        Network ACL = subnet traffic control [OK]
      Hint: Network ACLs control subnet traffic, not users or data [OK]
      Common Mistakes:
      • Confusing Network ACLs with IAM permissions
      • Thinking Network ACLs store data
      • Assuming Network ACLs monitor performance
      2. Which of the following is the correct way to define a rule in a Network ACL?
      easy
      A. User name, password, access level, allow or deny
      B. Instance ID, security group, IP address, allow or deny
      C. Rule number, protocol, port range, source/destination, allow or deny
      D. Subnet ID, route table, gateway, allow or deny

      Solution

      1. Step 1: Recall Network ACL rule components

        Network ACL rules include a rule number, protocol, port range, source or destination IP, and action (allow or deny).

      2. Step 2: Match correct option

        Rule number, protocol, port range, source/destination, allow or deny lists these components correctly; other options mention unrelated elements like user credentials or instance IDs.

      3. Final Answer:

        Rule number, protocol, port range, source/destination, allow or deny -> Option C

      4. Quick Check:

        Network ACL rule = numbered protocol and ports [OK]
      Hint: Network ACL rules use numbers, protocols, ports, and allow/deny [OK]
      Common Mistakes:
      • Mixing user credentials with ACL rules
      • Confusing security groups with ACL rules
      • Using subnet or route info as rule components
      3. Given a Network ACL with the following rules:
      Rule 100: Allow TCP port 80 from 0.0.0.0/0
      Rule 110: Deny all traffic
      What happens to an incoming TCP request on port 80 from IP 192.168.1.1?
      medium
      A. The request is allowed because rule 100 permits it
      B. The request is denied because rule 110 denies all traffic
      C. The request is ignored due to missing rule for port 80
      D. The request causes an error in the Network ACL

      Solution

      1. Step 1: Understand rule evaluation order

        Network ACLs evaluate rules by ascending rule number. Rule 100 is checked before 110.

      2. Step 2: Apply rules to the request

        Rule 100 allows TCP port 80 from any IP, so the request from 192.168.1.1 is allowed before rule 110 denies all.

      3. Final Answer:

        The request is allowed because rule 100 permits it -> Option A

      4. Quick Check:

        Lower rule number allow overrides higher deny [OK]
      Hint: Rules checked in order; first match decides allow or deny [OK]
      Common Mistakes:
      • Assuming deny all overrides allow rules
      • Ignoring rule number order
      • Thinking missing rules cause errors
      4. You created a Network ACL with these rules:
      Rule 100: Allow inbound TCP port 22 from 10.0.0.0/16
      Rule 110: Deny all inbound traffic
      But SSH connections from 10.0.1.5 are failing. What is the likely problem?
      medium
      A. The Network ACL is stateless and missing an outbound allow rule for port 22
      B. The security group attached to the instance denies SSH
      C. The subnet does not have a route to the internet
      D. The IP 10.0.1.5 is outside the allowed range

      Solution

      1. Step 1: Recall Network ACL stateless behavior

        Network ACLs are stateless, so return traffic must be explicitly allowed by outbound rules.

      2. Step 2: Analyze rules and failure cause

        Inbound SSH is allowed, but if outbound port 22 is denied, the response cannot return, causing failure.

      3. Final Answer:

        The Network ACL is stateless and missing an outbound allow rule for port 22 -> Option A

      4. Quick Check:

        Stateless ACLs need inbound and outbound rules [OK]
      Hint: Stateless ACLs need both inbound and outbound rules [OK]
      Common Mistakes:
      • Assuming ACLs are stateful like security groups
      • Ignoring outbound rules for return traffic
      • Mistaking IP range or subnet routing as cause
      5. You want to block all HTTP traffic (port 80) to a subnet except from a specific IP 203.0.113.5 using Network ACLs. Which rule set achieves this?
      hard
      A. Rule 100: Deny TCP port 80 from 0.0.0.0/0
      Rule 110: Allow TCP port 80 from 203.0.113.5
      Rule 120: Allow all other traffic
      B. Rule 100: Allow TCP port 80 from 203.0.113.5
      Rule 110: Deny TCP port 80 from 0.0.0.0/0
      Rule 120: Allow all other traffic
      C. Rule 100: Allow all traffic
      Rule 110: Deny TCP port 80 from 0.0.0.0/0
      D. Rule 100: Deny all traffic
      Rule 110: Allow TCP port 80 from 203.0.113.5

      Solution

      1. Step 1: Understand rule evaluation order

        Network ACLs evaluate rules by ascending number; first matching rule applies.

      2. Step 2: Analyze rules for desired effect

        Rule 100 allows port 80 only from 203.0.113.5. Rule 110 denies port 80 from all others. Rule 120 allows other traffic.

      3. Step 3: Confirm correct blocking and allowing

        This setup blocks HTTP except from the specific IP, matching the requirement.

      4. Final Answer:

        Rule 100: Allow TCP port 80 from 203.0.113.5; Rule 110: Deny TCP port 80 from 0.0.0.0/0; Rule 120: Allow all other traffic -> Option B

      5. Quick Check:

        Allow specific IP first, then deny others [OK]
      Hint: Allow specific IP first, then deny all others [OK]
      Common Mistakes:
      • Placing deny before allow for specific IP
      • Not including allow for other traffic
      • Assuming ACLs are stateful