7

I read about aws VPC and try to find any sense to use NAT. If I understand correctly, NAT is used when we have VPC with two subnets: public and private. And if we want to allow private subnet make requests to global network (for example for software updates), but block all inbound traffic - we can setup NAT in public subnet and connect this NAT with private subnet.

enter image description here

But in the same time we can just create ACL for private subnet and block all inbound traffic. So, it would be able to download software updates if it need.

So, if all above is true, why do we need NAT?

Farad
  • 885
  • 2
  • 9
  • 25
  • How will you get TCP responses into your EC2 instance if your subnet ACL blocks all inbound traffic? – jarmod Apr 12 '20 at 19:15
  • 1
    how it will get TCP responses if NAT blocks all inbound traffic? – Farad Apr 12 '20 at 19:26
  • 1
    You've suggested blocking inbound connections to your EC2 instances using a subnet ACL block. I'm saying this won't work because it will block *all* traffic to the instances, including responses to your instance's outbound requests for software updates. And hence, no, an ACL block is not a substitute for IGW and NAT. You need NAT (and an IGW) if you want general outbound, stateful TCP connections from your 'private' instances. – jarmod Apr 12 '20 at 20:19
  • 2
    On your question "how it will get TCP responses if NAT blocks all inbound traffic?", NAT doesn't block all inbound traffic. If your EC2 instance created a TCP connection to a service on the internet via the NAT, then the NAT does port address translation, and will happily receive stateful responses and pass them back to your instance. – jarmod Apr 12 '20 at 20:35

1 Answers1

7

A Network Access Control List (NACL) is stateless. This means the rules are enforced in both directions. Thus, in your scenario, traffic would be blocked in both directions.

In general, there should be no need to use a NACL. There are some appropriate uses (such as creating a DMZ), but these are rare.

You could, if you wish, put everything in a public subnet and simply use Security Groups to control access. This would work well because inbound and outbound rules can be configured separately. However, many people like the traditional concept of a private subnet to give an added sense of security.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • 1
    Every time I'm googling for an answer related to NACLs the response is don't use them, just use SGs. – ficuscr Aug 07 '21 at 06:21
  • 2
    @ficuscr That's correct. NACLs represent traditional networking that was done on physical routers between subnets. The benefit of virtual networking is that now _every resource can have its own firewall_ (as a Security Group) that provides much greater control and security. – John Rotenstein Aug 07 '21 at 06:50
  • Ah, this answer is so helpful and concise! – gebbissimo Jun 06 '22 at 19:00