0
0
AWScloud~10 mins

Network ACLs overview in AWS - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Process Flow - Network ACLs overview
Incoming Traffic
Network ACL Checks Rules
Rule Match?
NoDefault Deny
Yes
Allow or Deny Action
Traffic Allowed or Blocked
Outgoing Traffic
Traffic enters, Network ACL rules are checked in order. If a rule matches, its allow or deny action applies. If no rules match, traffic is denied by default.
Execution Sample
AWS
Rule 100: Allow TCP 80 inbound
Rule 110: Deny all inbound
Rule 100: Allow TCP 80 outbound
Rule 110: Deny all outbound
Network ACL rules are evaluated in order by number. Traffic matching an allow rule passes; otherwise, it is denied.
Process Table
StepTraffic DirectionPacket DetailsRule EvaluatedRule ActionResult
1InboundTCP port 80100AllowAllowed
2InboundTCP port 22100No matchContinue
3InboundTCP port 22110DenyDenied
4OutboundTCP port 80100AllowAllowed
5OutboundUDP port 53100No matchContinue
6OutboundUDP port 53110DenyDenied
💡 Traffic is allowed or denied based on the first matching rule; if none match, default deny applies.
Status Tracker
VariableStartAfter Step 1After Step 3After Step 4After Step 6
Traffic StatusPendingAllowed (Inbound TCP 80)Denied (Inbound TCP 22)Allowed (Outbound TCP 80)Denied (Outbound UDP 53)
Key Moments - 3 Insights
Why does inbound TCP port 22 traffic get denied even though there is an allow rule for port 80?
Because rules are checked in order, and port 22 does not match the allow rule 100, so it continues to rule 110 which denies all other traffic (see execution_table rows 2 and 3).
What happens if no rule matches the traffic?
Traffic is denied by default if no rules match, as shown in the default deny action after rule evaluation (execution_table exit_note).
Are Network ACL rules stateful or stateless?
Network ACLs are stateless, so return traffic must be explicitly allowed by rules in both directions (inbound and outbound).
Visual Quiz - 3 Questions
Test your understanding
Look at the execution table, what is the result for inbound TCP port 80 traffic at step 1?
ADenied
BAllowed
CNo match
DContinues to next rule
💡 Hint
Check the 'Result' column in execution_table row 1.
At which step does inbound TCP port 22 traffic get denied?
AStep 3
BStep 2
CStep 1
DStep 4
💡 Hint
Look at the 'Packet Details' and 'Result' columns in execution_table rows 2 and 3.
If rule 110 (deny all) was removed, what would happen to outbound UDP port 53 traffic?
AAllowed by rule 100
BAllowed by default
CDenied by default
DNo change
💡 Hint
Recall that Network ACLs deny traffic by default if no rule matches (see exit_note).
Concept Snapshot
Network ACLs control traffic at subnet level.
Rules are evaluated in order by number.
First matching rule's allow or deny applies.
If no match, traffic is denied by default.
Network ACLs are stateless; rules needed for both directions.
Full Transcript
Network ACLs are like gatekeepers for your subnet's traffic. When a packet arrives, the ACL checks its rules in order. If the packet matches a rule, it is either allowed or denied based on that rule. If no rules match, the packet is denied by default. This process happens separately for inbound and outbound traffic because Network ACLs do not remember previous decisions (they are stateless). For example, if inbound TCP port 80 traffic arrives, it matches an allow rule and passes. But inbound TCP port 22 traffic does not match the allow rule and is denied by a later deny rule. Outbound traffic is checked similarly. Understanding this step-by-step helps you control your network traffic securely.