0
0
AWScloud~5 mins

Stateless behavior of NACLs in AWS - Commands & Configuration

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Introduction
Network Access Control Lists (NACLs) control traffic in and out of a subnet in AWS. They are stateless, meaning they check each request and response separately, unlike firewalls that remember connections.
When you want to control traffic entering and leaving a subnet in your AWS VPC.
When you need to block specific IP addresses or ranges from accessing your subnet.
When you want to allow certain types of traffic but deny others at the subnet level.
When you want a simple, fast way to filter traffic without tracking connection states.
When you want to add an extra layer of security alongside security groups.
Config File - nacl-rules.json
nacl-rules.json
{
  "NetworkAclId": "acl-0a1b2c3d4e5f6g7h8",
  "Entries": [
    {
      "RuleNumber": 100,
      "Protocol": "6",
      "RuleAction": "allow",
      "Egress": false,
      "CidrBlock": "0.0.0.0/0",
      "PortRange": {
        "From": 80,
        "To": 80
      }
    },
    {
      "RuleNumber": 110,
      "Protocol": "6",
      "RuleAction": "allow",
      "Egress": true,
      "CidrBlock": "0.0.0.0/0",
      "PortRange": {
        "From": 80,
        "To": 80
      }
    },
    {
      "RuleNumber": 120,
      "Protocol": "-1",
      "RuleAction": "deny",
      "Egress": false,
      "CidrBlock": "192.168.1.0/24"
    },
    {
      "RuleNumber": 130,
      "Protocol": "-1",
      "RuleAction": "deny",
      "Egress": true,
      "CidrBlock": "192.168.1.0/24"
    }
  ]
}

This JSON defines rules for a Network ACL in AWS.

  • RuleNumber: Order of the rule evaluation.
  • Protocol: 6 means TCP, -1 means all protocols.
  • RuleAction: allow or deny the traffic.
  • Egress: false for inbound, true for outbound traffic.
  • CidrBlock: IP range the rule applies to.
  • PortRange: Ports to allow or deny (only for TCP/UDP).

Inbound and outbound rules are separate because NACLs are stateless and check each direction independently.

Commands
This command creates an inbound rule allowing TCP traffic on port 80 from any IP address.
Terminal
aws ec2 create-network-acl-entry --network-acl-id acl-0a1b2c3d4e5f6g7h8 --rule-number 100 --protocol 6 --port-range From=80,To=80 --egress false --rule-action allow --cidr-block 0.0.0.0/0
Expected OutputExpected
No output (command runs silently)
--egress - Specifies if the rule is for outbound (true) or inbound (false) traffic.
--rule-number - Determines the order in which rules are evaluated.
This command creates an outbound rule allowing TCP traffic on port 80 to any IP address.
Terminal
aws ec2 create-network-acl-entry --network-acl-id acl-0a1b2c3d4e5f6g7h8 --rule-number 110 --protocol 6 --port-range From=80,To=80 --egress true --rule-action allow --cidr-block 0.0.0.0/0
Expected OutputExpected
No output (command runs silently)
--egress - True means this rule applies to outbound traffic.
This command shows the current rules of the specified Network ACL to verify the entries.
Terminal
aws ec2 describe-network-acls --network-acl-ids acl-0a1b2c3d4e5f6g7h8
Expected OutputExpected
{ "NetworkAcls": [ { "NetworkAclId": "acl-0a1b2c3d4e5f6g7h8", "Entries": [ { "RuleNumber": 100, "Protocol": "6", "RuleAction": "allow", "Egress": false, "CidrBlock": "0.0.0.0/0", "PortRange": { "From": 80, "To": 80 } }, { "RuleNumber": 110, "Protocol": "6", "RuleAction": "allow", "Egress": true, "CidrBlock": "0.0.0.0/0", "PortRange": { "From": 80, "To": 80 } }, { "RuleNumber": 120, "Protocol": "-1", "RuleAction": "deny", "Egress": false, "CidrBlock": "192.168.1.0/24" }, { "RuleNumber": 130, "Protocol": "-1", "RuleAction": "deny", "Egress": true, "CidrBlock": "192.168.1.0/24" } ] } ] }
Key Concept

NACLs are stateless, so you must create separate inbound and outbound rules for traffic to flow correctly.

Common Mistakes
Creating only inbound rules and forgetting outbound rules.
Because NACLs do not remember connections, outbound traffic will be blocked if no outbound rule exists.
Always create matching inbound and outbound rules for the traffic you want to allow.
Using the same rule number for multiple rules.
Rule numbers must be unique to determine the order of evaluation.
Assign unique rule numbers to each rule to avoid conflicts.
Summary
Create inbound and outbound rules separately because NACLs are stateless.
Use the AWS CLI to add rules specifying protocol, port range, CIDR block, and direction.
Verify rules with describe-network-acls to ensure they are applied correctly.