0

Do we need to open NACL for private subnet from both inbound and outbound, to the internet when my subnet is routed to NATgateway to access internet . If yes how secured it is . The only restrictions for private subnet would be on the route table as NACL +security grp will be open .

Andres Torres
  • 13
  • 3

1 Answers1

0

In general, you should never need to change the configuration of Network ACLs in a VPC.

Traditional networking uses rules in Routers that control traffic between subnets. However, AWS and other cloud services have Security Groups that allow controls to be placed on individual resources, which offers finer-grained security.

The only situations you should need to modify Network ACLs is when intentionally locking down security, such as creating a DMZ.

Configuring Network ACLs is also quite complex because they are stateless, so permissions need to be granted in both directions. Security Groups, in contrast, are stateful so (for example) communication can happen with only Inbound rules and no Outbound rules.

Bottom line: It is best to learn your Network ACLs with their default "Allow All" configuration.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • That makes sense. Although, the reason I want to configure the ACL is as an extra layer of protection and not a replacement for security groups. Do you know if I need to allow traffic to IPs outside the VPC in the ACL of a private subnet to enable communication to the internet using a NAT gw? – Andres Torres Aug 17 '22 at 17:25
  • You would need to configure the NACL on the private subnet to allow traffic IN and OUT for all used ports (which can be quite difficult to determine). Incoming traffic from the Internet would come from the NAT Gateway, so it would come 'from' the NAT Gateway's IP address. However, I _suspect_ that outbound traffic will need to be allowed to public IPs even though the Route Table will direct that traffic to the NAT Gateway. You'll need to experiment. Configuring Network ACLs can be _very_ tricky! – John Rotenstein Aug 17 '22 at 23:59
  • Resources in a private subnet already have 3 layers of security (Security Groups, private subnet, no public IP), so it is rarely required to also use NACLs as another layer but that's your choice! – John Rotenstein Aug 18 '22 at 00:00