0
0
AWScloud~10 mins

Stateless behavior of NACLs in AWS - Step-by-Step Execution

Choose your learning style9 modes available
LearnWhyDeepVisualTryChallengeProjectRecallTime
Process Flow - Stateless behavior of NACLs
Packet arrives at subnet
Check inbound NACL rules
Drop packet
Instance processes packet
Response packet sent
Check outbound NACL rules
Drop packet
A packet entering a subnet is checked against inbound NACL rules; if allowed, it reaches the instance. The response packet is then checked against outbound NACL rules before leaving, showing stateless checks on both directions.
Execution Sample
AWS
Inbound NACL: Allow TCP port 80
Outbound NACL: Allow TCP port 80
Packet: TCP request to port 80
Response: TCP reply from port 80
This setup shows a TCP request allowed inbound and its response allowed outbound by separate NACL rules.
Process Table
StepPacket DirectionNACL Rule CheckedRule ResultAction Taken
1InboundAllow TCP port 80MatchPacket forwarded to instance
2InboundOther rulesNo matchNo action (default deny)
3OutboundAllow TCP port 80MatchResponse packet sent out
4OutboundOther rulesNo matchNo action (default deny)
5InboundPacket to port 22No matchPacket dropped
6OutboundResponse from port 22No matchPacket dropped
💡 Packets dropped if no matching allow rule found in respective inbound or outbound NACL checks
Status Tracker
VariableStartAfter Step 1After Step 3After Step 5
Packet DirectionInboundInboundOutboundInbound
Packet Port80808022
NACL Rule MatchNoneAllow TCP 80Allow TCP 80No match
Packet StatusPendingForwardedSent outDropped
Key Moments - 2 Insights
Why does the response packet need its own outbound NACL rule if the inbound request was allowed?
Because NACLs are stateless, the response packet is checked separately against outbound rules (see execution_table steps 3 and 5). Allowing inbound does not automatically allow outbound.
What happens if there is no matching rule for a packet in NACL?
The packet is dropped by default as shown in execution_table steps 2, 4, and 5 where no match leads to drop.
Visual Quiz - 3 Questions
Test your understanding
Look at the execution table, what is the packet status after step 1?
ADropped
BForwarded
CSent out
DPending
💡 Hint
Check the 'Packet Status' column after step 1 in the execution_table.
At which step does the packet get dropped due to no matching inbound rule?
AStep 5
BStep 1
CStep 3
DStep 6
💡 Hint
Look for 'Packet dropped' with 'Inbound' direction and 'No match' in NACL Rule Checked.
If the outbound NACL allowed all ports, how would step 6 change?
APacket would be forwarded to instance
BPacket would be dropped
CPacket would be sent out
DNo change
💡 Hint
Refer to step 6 where no match causes drop; allowing all ports outbound would allow sending out.
Concept Snapshot
NACLs check inbound and outbound traffic separately.
They are stateless: allow rules must exist for both directions.
No matching rule means packet is dropped by default.
Inbound rules control incoming packets; outbound rules control outgoing packets.
This ensures explicit control over traffic flow in both directions.
Full Transcript
Network Access Control Lists (NACLs) in AWS are stateless. This means each packet is checked independently when it enters and leaves a subnet. When a packet arrives inbound, it is checked against inbound NACL rules. If allowed, it reaches the instance. When the instance sends a response, that packet is checked against outbound NACL rules. Both directions require explicit allow rules. If no rule matches, the packet is dropped. This behavior ensures tight control over traffic flow but requires rules for both inbound and outbound directions.