A Network Access Control List is an optional layer of security to your VPC, that acts as firewall to subnet(s) to control In & Out traffic. A default ACL created with VPC, you can configure ACL as an additional layer of security.
An ephemeral port is a short-lived endpoint that is created by the operating system when a program requests any available user port. The operating system selects the port number from a predefined range, typically between 1024 and 65535, and releases the port after the related TCP connection terminates.
You can use it in outbound list of ACL.
You can use it in outbound list of ACL.
Facts About NACL
- NACL always evaluated before security groups. That means NACL filtered traffic reaches to security groups.
- NACL is stateless, which means, any inbound traffic do not have relative out bound traffic automatically, we need to create it.
- Default Network ACL created when you create VPC, that allows all inbound and outbound traffic, you can customize it as per your requirement.
- We can create a custom Network ACL that by default denies all inbound and outbound traffic, until we do not add rules to that.
- A Network ACL can be associated with multiple subnets but a subnet can have association with only one ACL. If you do not explicitly associate subnet to an ACL than it automatically associate with default ACL.
- Their are separate list of inbound and outbound rules.
- Inbound/Outbound lists are numbered rules list. that applies descending numbered rules.
Ex.
Rule No. 100 allowing http on port 80
Rule No. 200 denying http on port 80
Means ACL will allow http on 80 - You can block specific IPs on ACL but not on security groups.
No comments:
Post a Comment