Bird
Raised Fist0
AWScloud~5 mins

Stateless behavior of NACLs in AWS - Commands & Configuration

Choose your learning style10 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Introduction
Network Access Control Lists (NACLs) control traffic in and out of a subnet in AWS. They are stateless, meaning they check each request and response separately, unlike firewalls that remember connections.
When you want to control traffic entering and leaving a subnet in your AWS VPC.
When you need to block specific IP addresses or ranges from accessing your subnet.
When you want to allow certain types of traffic but deny others at the subnet level.
When you want a simple, fast way to filter traffic without tracking connection states.
When you want to add an extra layer of security alongside security groups.
Config File - nacl-rules.json
nacl-rules.json
{
  "NetworkAclId": "acl-0a1b2c3d4e5f6g7h8",
  "Entries": [
    {
      "RuleNumber": 100,
      "Protocol": "6",
      "RuleAction": "allow",
      "Egress": false,
      "CidrBlock": "0.0.0.0/0",
      "PortRange": {
        "From": 80,
        "To": 80
      }
    },
    {
      "RuleNumber": 110,
      "Protocol": "6",
      "RuleAction": "allow",
      "Egress": true,
      "CidrBlock": "0.0.0.0/0",
      "PortRange": {
        "From": 80,
        "To": 80
      }
    },
    {
      "RuleNumber": 120,
      "Protocol": "-1",
      "RuleAction": "deny",
      "Egress": false,
      "CidrBlock": "192.168.1.0/24"
    },
    {
      "RuleNumber": 130,
      "Protocol": "-1",
      "RuleAction": "deny",
      "Egress": true,
      "CidrBlock": "192.168.1.0/24"
    }
  ]
}

This JSON defines rules for a Network ACL in AWS.

  • RuleNumber: Order of the rule evaluation.
  • Protocol: 6 means TCP, -1 means all protocols.
  • RuleAction: allow or deny the traffic.
  • Egress: false for inbound, true for outbound traffic.
  • CidrBlock: IP range the rule applies to.
  • PortRange: Ports to allow or deny (only for TCP/UDP).

Inbound and outbound rules are separate because NACLs are stateless and check each direction independently.

Commands
This command creates an inbound rule allowing TCP traffic on port 80 from any IP address.
Terminal
aws ec2 create-network-acl-entry --network-acl-id acl-0a1b2c3d4e5f6g7h8 --rule-number 100 --protocol 6 --port-range From=80,To=80 --egress false --rule-action allow --cidr-block 0.0.0.0/0
Expected OutputExpected
No output (command runs silently)
--egress - Specifies if the rule is for outbound (true) or inbound (false) traffic.
--rule-number - Determines the order in which rules are evaluated.
This command creates an outbound rule allowing TCP traffic on port 80 to any IP address.
Terminal
aws ec2 create-network-acl-entry --network-acl-id acl-0a1b2c3d4e5f6g7h8 --rule-number 110 --protocol 6 --port-range From=80,To=80 --egress true --rule-action allow --cidr-block 0.0.0.0/0
Expected OutputExpected
No output (command runs silently)
--egress - True means this rule applies to outbound traffic.
This command shows the current rules of the specified Network ACL to verify the entries.
Terminal
aws ec2 describe-network-acls --network-acl-ids acl-0a1b2c3d4e5f6g7h8
Expected OutputExpected
{ "NetworkAcls": [ { "NetworkAclId": "acl-0a1b2c3d4e5f6g7h8", "Entries": [ { "RuleNumber": 100, "Protocol": "6", "RuleAction": "allow", "Egress": false, "CidrBlock": "0.0.0.0/0", "PortRange": { "From": 80, "To": 80 } }, { "RuleNumber": 110, "Protocol": "6", "RuleAction": "allow", "Egress": true, "CidrBlock": "0.0.0.0/0", "PortRange": { "From": 80, "To": 80 } }, { "RuleNumber": 120, "Protocol": "-1", "RuleAction": "deny", "Egress": false, "CidrBlock": "192.168.1.0/24" }, { "RuleNumber": 130, "Protocol": "-1", "RuleAction": "deny", "Egress": true, "CidrBlock": "192.168.1.0/24" } ] } ] }
Key Concept

NACLs are stateless, so you must create separate inbound and outbound rules for traffic to flow correctly.

Common Mistakes
Creating only inbound rules and forgetting outbound rules.
Because NACLs do not remember connections, outbound traffic will be blocked if no outbound rule exists.
Always create matching inbound and outbound rules for the traffic you want to allow.
Using the same rule number for multiple rules.
Rule numbers must be unique to determine the order of evaluation.
Assign unique rule numbers to each rule to avoid conflicts.
Summary
Create inbound and outbound rules separately because NACLs are stateless.
Use the AWS CLI to add rules specifying protocol, port range, CIDR block, and direction.
Verify rules with describe-network-acls to ensure they are applied correctly.

Practice

(1/5)
1. What does it mean that Network ACLs (NACLs) are stateless in AWS?
easy
A. NACLs remember the state of connections to allow return traffic automatically
B. Each packet is checked independently without remembering previous packets
C. NACLs only filter traffic based on IP addresses, not ports
D. NACLs automatically block all inbound traffic by default

Solution

  1. Step 1: Understand the meaning of stateless

    Stateless means the system does not keep track of previous packets or connection states.

  2. Step 2: Apply this to NACLs

    NACLs evaluate each packet on its own, without remembering if it is part of an existing connection.

  3. Final Answer:

    Each packet is checked independently without remembering previous packets -> Option B

  4. Quick Check:

    Stateless means no memory of past packets = A [OK]
Hint: Stateless means no memory of past packets, check each separately [OK]
Common Mistakes:
  • Thinking NACLs remember connection states like security groups
  • Assuming NACLs allow return traffic automatically
  • Confusing stateless with blocking all traffic by default
2. Which of the following is the correct way to allow inbound HTTP traffic on port 80 using a NACL rule?
easy
A. Allow inbound traffic on port 80 with rule number 100, protocol TCP, action ALLOW
B. Allow inbound traffic on port 22 with rule number 100, protocol TCP, action ALLOW
C. Allow outbound traffic on port 80 with rule number 100, protocol TCP, action DENY
D. Allow inbound traffic on port 443 with rule number 100, protocol UDP, action ALLOW

Solution

  1. Step 1: Identify the correct port and protocol for HTTP

    HTTP uses TCP protocol on port 80.

  2. Step 2: Confirm the rule direction and action

    To allow inbound HTTP traffic, the rule must be inbound with action ALLOW.

  3. Final Answer:

    Allow inbound traffic on port 80 with rule number 100, protocol TCP, action ALLOW -> Option A

  4. Quick Check:

    Inbound TCP port 80 ALLOW = D [OK]
Hint: HTTP uses TCP port 80 inbound ALLOW rule [OK]
Common Mistakes:
  • Using wrong port number or protocol
  • Setting rule direction incorrectly
  • Using DENY action instead of ALLOW
3. Consider a NACL with the following rules:
Inbound Rule 100: ALLOW TCP port 80
Outbound Rule 100: DENY all traffic
What will happen when an instance in the subnet tries to send a response to an HTTP request?
medium
A. The response will be allowed because inbound is allowed
B. The response will be allowed because NACLs are stateful
C. The response will be blocked because outbound is denied
D. The response will be blocked because inbound denies it

Solution

  1. Step 1: Analyze inbound rule

    Inbound HTTP traffic on port 80 is allowed, so requests can reach the instance.

  2. Step 2: Analyze outbound rule

    Outbound rule denies all traffic, so responses from the instance are blocked.

  3. Final Answer:

    The response will be blocked because outbound is denied -> Option C

  4. Quick Check:

    Outbound DENY blocks response despite inbound ALLOW = B [OK]
Hint: Both inbound and outbound must allow traffic for two-way flow [OK]
Common Mistakes:
  • Assuming NACLs are stateful and allow return traffic automatically
  • Ignoring outbound rules when troubleshooting
  • Confusing inbound and outbound directions
4. You configured a NACL to allow inbound SSH (port 22) and outbound HTTP (port 80) traffic. However, SSH connections fail. What is the most likely cause?
medium
A. Outbound SSH traffic is not allowed in the NACL
B. Inbound HTTP traffic is not allowed in the NACL
C. NACLs are stateful and do not require outbound rules
D. Security groups block SSH traffic

Solution

  1. Step 1: Review NACL rules for SSH

    Inbound SSH (port 22) is allowed, but outbound SSH must also be allowed for return traffic.

  2. Step 2: Understand stateless nature of NACLs

    NACLs do not remember connection state, so both inbound and outbound rules must permit traffic.

  3. Final Answer:

    Outbound SSH traffic is not allowed in the NACL -> Option A

  4. Quick Check:

    Both directions must allow SSH for connection success = C [OK]
Hint: Allow both inbound and outbound for SSH due to stateless NACLs [OK]
Common Mistakes:
  • Assuming NACLs are stateful and outbound rules are unnecessary
  • Blaming security groups without checking NACLs
  • Ignoring outbound rules for return traffic
5. You want to allow a subnet to communicate with the internet using HTTP and HTTPS. Which NACL configuration correctly supports this stateless behavior?
hard
A. Allow all inbound and outbound traffic to simplify rules
B. Allow inbound TCP ports 80 and 443, allow outbound ephemeral ports 1024-65535
C. Allow inbound and outbound TCP ports 80 and 443 only
D. Allow inbound ephemeral ports 1024-65535, allow outbound TCP ports 80 and 443

Solution

  1. Step 1: Understand HTTP/HTTPS traffic flow

    Clients initiate outbound connections to ports 80 and 443; responses come back on ephemeral ports (1024-65535).

  2. Step 2: Configure NACL rules for stateless behavior

    Outbound rules must allow TCP ports 80 and 443; inbound rules must allow ephemeral ports for return traffic.

  3. Final Answer:

    Allow inbound ephemeral ports 1024-65535, allow outbound TCP ports 80 and 443 -> Option D

  4. Quick Check:

    Outbound to 80/443, inbound ephemeral ports for response = A [OK]
Hint: Allow outbound ports 80/443 and inbound ephemeral ports for return [OK]
Common Mistakes:
  • Allowing inbound ports 80/443 instead of ephemeral ports
  • Not allowing ephemeral ports inbound blocks responses
  • Allowing all traffic unnecessarily