AWScloud~30 mins

Stateless behavior of NACLs in AWS - Mini Project: Build & Apply

Choose your learning style9 modes available

Learn Why Deep Visual Try Challenge Project Recall Time

Stateless behavior of NACLs

📖 Scenario: You are managing network security in AWS. You want to understand how Network Access Control Lists (NACLs) work, especially their stateless nature. NACLs control traffic in and out of subnets, but unlike security groups, they do not remember previous traffic. This means you must explicitly allow both inbound and outbound traffic rules.

🎯 Goal: Create an AWS NACL configuration that allows inbound HTTP traffic on port 80 and outbound HTTP response traffic on ephemeral ports, demonstrating the stateless behavior of NACLs.

📋 What You'll Learn

Create a Network ACL with a specific ID

Add an inbound rule allowing TCP traffic on port 80 from any IPv4 address

Add an outbound rule allowing TCP traffic on ephemeral ports (1024-65535) to any IPv4 address

Use explicit rule numbers and protocol numbers

Demonstrate stateless behavior by having separate inbound and outbound rules

💡 Why This Matters

🌍 Real World

Network Access Control Lists (NACLs) are used in AWS to control traffic at the subnet level. Understanding their stateless nature helps in designing secure and functional network architectures.

💼 Career

Cloud engineers and network administrators must configure NACLs correctly to ensure security and proper traffic flow in AWS environments.

Progress0 / 4 steps

Create the initial NACL data structure

Create a variable called nacl as a dictionary with the key NetworkAclId set to 'acl-12345678' and an empty list for Entries.

AWS

nacl = {
    "NetworkAclId": "acl-12345678",
    "Entries": []
}
# Your code here

Need a hint?

Think of nacl as a container holding the NACL ID and its rules.

Add inbound HTTP allow rule configuration

Add a dictionary to nacl["Entries"] representing an inbound rule with RuleNumber 100, Protocol 6 (TCP), RuleAction 'allow', Egress False, CidrBlock '0.0.0.0/0', and PortRange from 80 to 80.

AWS

nacl = {
    "NetworkAclId": "acl-12345678",
    "Entries": []
}
# Add inbound HTTP allow rule below

Need a hint?

Inbound rules have Egress set to False. Port 80 is for HTTP.

Add outbound ephemeral port allow rule configuration

Append a dictionary to nacl["Entries"] representing an outbound rule with RuleNumber 100, Protocol 6 (TCP), RuleAction 'allow', Egress True, CidrBlock '0.0.0.0/0', and PortRange from 1024 to 65535.

AWS

nacl = {
    "NetworkAclId": "acl-12345678",
    "Entries": [
        {
            "RuleNumber": 100,
            "Protocol": 6,
            "RuleAction": "allow",
            "Egress": false,
            "CidrBlock": "0.0.0.0/0",
            "PortRange": {"From": 80, "To": 80}
        }
    ]
}
# Add outbound ephemeral port allow rule below

Need a hint?

Outbound rules have Egress set to True. Ephemeral ports range from 1024 to 65535.

Complete the NACL configuration with a deny all rule

Append two deny rules to nacl["Entries"]: one inbound with RuleNumber 200, Protocol -1 (all), RuleAction 'deny', Egress False, CidrBlock '0.0.0.0/0'; and one outbound with RuleNumber 200, Protocol -1, RuleAction 'deny', Egress True, CidrBlock '0.0.0.0/0'.

AWS

nacl = {
    "NetworkAclId": "acl-12345678",
    "Entries": [
        {
            "RuleNumber": 100,
            "Protocol": 6,
            "RuleAction": "allow",
            "Egress": false,
            "CidrBlock": "0.0.0.0/0",
            "PortRange": {"From": 80, "To": 80}
        },
        {
            "RuleNumber": 100,
            "Protocol": 6,
            "RuleAction": "allow",
            "Egress": true,
            "CidrBlock": "0.0.0.0/0",
            "PortRange": {"From": 1024, "To": 65535}
        }
    ]
}
# Add deny all inbound and outbound rules below

Need a hint?

Deny all rules catch any traffic not explicitly allowed. Use Protocol -1 for all protocols.