AWS core servicesNetworking and securityIntermediate47 min read

What Is Network ACL in Networking?

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security

This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.

On This Page

Quick Definition

A Network ACL is a set of rules that decide which traffic can enter or leave a subnet in a network. Think of it as a security guard at the entrance of a neighborhood, checking IDs and letting in only approved visitors. It checks each packet of data individually, without remembering past connections, so it can be very strict.

Common Commands & Configuration

aws ec2 create-network-acl --vpc-id vpc-12345678 --tag-specifications 'ResourceType=network-acl,Tags=[{Key=Name,Value=WebSubnetACL}]'

Creates a new custom Network ACL in the specified VPC. This command does not associate it with a subnet yet.

Tests ability to create ACLs via CLI. Common in AWS SAA and Cloud Practitioner exams where candidates must choose the correct service command.

aws ec2 associate-network-acl --network-acl-id acl-11223344 --subnet-id subnet-aa11bb22

Associates an existing Network ACL with a specific subnet. You can replace the current association by running this command again.

Frequent exam scenario: troubleshooting connectivity because wrong ACL is associated. Tests knowledge of subnet-association binding.

aws ec2 create-network-acl-entry --network-acl-id acl-11223344 --ingress --rule-number 100 --protocol tcp --port-range From=80,To=80 --cidr-block 0.0.0.0/0 --rule-action allow

Adds an inbound allow rule for HTTP traffic from any source to the Network ACL.

Key for understanding stateless rules. In SAA exams, this may be paired with missing outbound ephemeral rule scenarios.

aws ec2 create-network-acl-entry --network-acl-id acl-11223344 --egress --rule-number 100 --protocol tcp --port-range From=1024,To=65535 --cidr-block 0.0.0.0/0 --rule-action allow

Creates an outbound allow rule for ephemeral ports, necessary for return traffic when inbound HTTP is allowed. Statelessness demands this.

Directly tests stateless concept. Many exam questions ask why web server is unreachable; the answer is missing outbound ephemeral rule.

aws ec2 create-network-acl-entry --network-acl-id acl-11223344 --ingress --rule-number 10 --protocol tcp --port-range From=22,To=22 --cidr-block 10.0.1.0/24 --rule-action deny

Adds an inbound deny rule for SSH traffic from a specific internal IP range. Because rule 10 is low, it overrides higher-numbered allow rules.

Tests rule ordering and explicit deny. A common exam trap: assuming allow overrides deny, but lowest matching rule wins.

aws ec2 describe-network-acls --network-acl-ids acl-11223344

Lists details of a specific Network ACL including all rules, associations, and tags. Handy for debugging rule order.

Used in troubleshooting scenarios. Exams test ability to parse output to find missing rules or incorrect rule numbers.

aws ec2 replace-network-acl-association --association-id acassoc-12345678 --network-acl-id acl-99887766

Replaces the Network ACL association for a subnet. Useful when you need to apply a new ACL without disconnecting the subnet first.

Tests knowledge of how to update ACL associations without downtime. Appears in AZ-104 and SAA migration scenarios.

Network ACL appears directly in 101exam-style practice questions in Courseiva's question bank — one of the most-tested concepts on CLF-C02. Practise them →

Must Know for Exams

Network ACL is a core concept for several major IT certification exams, especially those focused on cloud networking and security. For the AWS Certified Cloud Practitioner (CLF-C02), you need to understand the basic difference between a Security Group (stateful) and a Network ACL (stateless). The exam may ask you to identify which service is stateless or which operates at the subnet level.

For the AWS Certified Solutions Architect - Associate (SAA-C03), Network ACLs are frequently tested in scenario-based questions. You might be given a scenario where traffic is not reaching an EC2 instance even though the Security Group allows it. The answer often involves a missing outbound rule in the Network ACL. You also need to know that Network ACLs support both allow and deny rules, while Security Groups only support allow rules. This distinction is critical for troubleshooting questions.

In CompTIA Network+ (N10-008) and Security+ (SY0-601), the concept of ACLs (Access Control Lists) is broader and includes router ACLs and firewall ACLs. However, the stateless vs. stateful distinction is still tested. You may see questions about which type of ACL is more secure in certain scenarios or how to filter traffic based on port numbers.

For the Cisco CCNA (200-301), ACLs are a major topic. You need to know how to configure standard and extended ACLs on Cisco routers, how to apply them to interfaces, and how to interpret the order of processing. The exam will test your ability to write ACL rules that allow specific traffic while denying everything else.

For the Microsoft Azure Administrator (AZ-104), Network Security Groups (NSGs) are the equivalent, but the concept is similar. You need to understand that NSGs are stateful unless you use Application Security Groups. The exam may compare Azure NSG rules with AWS Network ACL rules.

For the Google Associate Cloud Engineer (ACE), VPC firewall rules are analogous. The exam tests your ability to create firewall rules based on tags and service accounts, which is similar to Network ACLs but with different implementation details.

In all these exams, the most common question patterns include: 1) Scenario-based troubleshooting where a connection fails due to missing ACL rules, 2) Comparison questions asking which type of firewall is stateless, 3) Configuration questions where you must choose the correct order of rules, and 4) Security-based questions about when to use an ACL vs. a Security Group.

Simple Meaning

Imagine you live in a gated community with several streets (subnets). At the main gate, there is a security guard (the Network ACL) who checks every car that wants to enter or leave. The guard has a list of rules written on a clipboard. For example, one rule might say 'allow cars from the mail company between 8 AM and 6 PM' and another might say 'block any car that does not have a valid visitor pass'. This guard does not remember which cars have already been inside – every single car is checked from scratch each time. That is what stateless means: the guard treats each car as if it is the first time they are arriving.

In a cloud network like Amazon Web Services (AWS), a Network ACL works exactly like that guard. It is a list of numbered rules that either allow or deny traffic based on the IP address, the port number (like a specific door number on a building), and the protocol (like TCP or UDP). The rules are evaluated in order, starting from the lowest number. Once a rule matches, the action is taken – either allow or deny – and no further rules are checked.

This is different from a Security Group, which is like a guard who keeps a notebook of who they have already let in. That guard remembers that if a car came in earlier, they can leave without being checked again. That is stateful behavior. A Network ACL is stateless, so it needs separate rules for inbound and outbound traffic, even for the same conversation. For example, if a request comes in from the internet, the Network ACL must have a rule allowing inbound traffic (the request) and a separate rule allowing outbound traffic (the response). If the outbound rule is missing, the response gets blocked, and the connection fails.

In practice, Network ACLs are used to add an extra layer of security at the subnet boundary. They are useful for blocking specific IP addresses or entire ranges of addresses that are known to be malicious. Because they are stateless, they are very efficient for handling large amounts of traffic, but they require careful configuration to make sure responses are not accidentally dropped. When studying for IT certification exams, it is important to remember that Network ACLs are always evaluated before Security Groups when traffic enters a subnet, and they apply to all instances within that subnet automatically.

Full Technical Definition

A Network Access Control List (Network ACL) is an optional layer of security for your Virtual Private Cloud (VPC) that acts as a stateless firewall for controlling traffic in and out of one or more subnets. In Amazon Web Services (AWS), the Network ACL is defined at the VPC level and can be associated with multiple subnets, but each subnet can only be associated with one Network ACL at a time. By default, each VPC comes with a default Network ACL that allows all inbound and outbound traffic. When you create a custom Network ACL, it initially denies all inbound and outbound traffic until you explicitly add rules.

The fundamental characteristic of a Network ACL is that it is stateless. This means that the ACL does not track the state of network connections. Each packet is evaluated independently without any context of previous packets. As a result, you must define separate rules for inbound and outbound traffic. For example, if you allow inbound HTTP traffic (port 80) from the internet, you must also explicitly allow outbound traffic from the subnet back to the internet on ephemeral ports (typically ports 1024-65535) so that the web server can send responses. Failure to do so will result in broken connections.

Network ACL rules are processed in numerical order, starting with the lowest rule number. Each rule consists of a rule number (e.g., 100, 200, 300), a protocol (TCP, UDP, ICMP, or all), a port range, a source or destination IP address in CIDR notation, and an action (allow or deny). Once a rule matches the traffic, the action is applied immediately, and no further rules are evaluated. For this reason, it is common practice to add allow rules at lower numbers (e.g., 100) and deny rules at higher numbers (e.g., 32766) to ensure that legitimate traffic is matched first. AWS recommends incrementing rules by 100 to leave room for inserting new rules later.

The maximum number of rules per Network ACL is 20 per direction (inbound + outbound) by default, but this can be increased by requesting a limit increase from AWS Support. Each rule is evaluated against every packet. If no rule matches, the default deny rule at the end of the list (rule number *) applies, which denies all traffic.

In terms of standards, Network ACLs operate at Layer 3 (Network layer) and Layer 4 (Transport layer) of the OSI model. They filter based on IP addresses and port numbers, but they do not inspect the contents of the packet payload. For deeper inspection, you would need a Web Application Firewall (WAF) or a Network Firewall appliance.

Real IT implementation of Network ACLs is common in multi-tier architectures. For example, you might put your web servers in a public subnet with a Network ACL that allows HTTP and HTTPS inbound from the internet, and allows all outbound traffic to the internet and to the application servers. The application servers might be in a private subnet with a Network ACL that only allows inbound traffic from the web subnet, and denies all inbound traffic from the internet.

When troubleshooting connectivity issues, one of the first checks is to examine the Network ACL rules. Because it is stateless, a common issue is that the outbound rule for response traffic is missing. For instance, if you ping an EC2 instance from the internet, you need both an inbound rule allowing ICMP echo request and an outbound rule allowing ICMP echo reply. If either is missing, the ping fails.

In exam contexts, especially for AWS Certified Solutions Architect - Associate (SAA) and AWS Certified Cloud Practitioner, you need to understand the difference between Network ACLs (stateless) and Security Groups (stateful). You also need to know that Network ACLs support allow and deny rules (whereas Security Groups only support allow rules), and that Network ACLs are applied at the subnet level, while Security Groups are applied at the instance (or elastic network interface) level.

Real-Life Example

Suppose you live in a large apartment building with a main lobby and several wings. Each wing is like a subnet. The building has a security guard at the lobby entrance (the Network ACL). This guard has a clipboard with rules written in numbered lines. Rule 1 says 'Allow delivery drivers from 8 AM to 6 PM'. Rule 2 says 'Deny anyone wearing a blue jacket'. The guard checks every person who tries to enter the building. If someone wears a blue jacket, they are stopped immediately, even if they are a legitimate resident. This is because the guard does not remember who lives there – they only follow the list.

Now imagine a visitor named Alice comes to see a friend. She walks in through the lobby. The guard checks the clipboard and sees that she is not a delivery driver (rule 1 does not apply), and she is not wearing a blue jacket (rule 2 does not apply). So she is allowed in. She visits her friend and then leaves. On her way out, the guard checks the clipboard again. There is a rule that says 'Allow everyone to leave only if they came in on the same day'. But because the guard is stateless, they do not remember that Alice came in earlier. So they check the outbound rules. If there is no outbound rule allowing people to leave, Alice gets stuck inside. This is exactly what happens when a Network ACL has an inbound rule for a request but no corresponding outbound rule for the response.

In another scenario, imagine the building manager wants to block all visitors from a certain street (a specific IP range). They add a rule at the top of the clipboard: 'Deny anyone from Maple Street'. Every person from Maple Street is denied entry, even if they have a legitimate reason. This is like blocking traffic from a known malicious IP range using a Network ACL.

By contrast, a Security Group would be like a bouncer at a club who writes down the names of everyone who enters. When someone tries to leave, the bouncer checks their list and says 'Yes, I saw you come in earlier, you can leave.' That is stateful behavior. The Network ACL guard does not have that memory, so they need rules for both directions.

Why This Term Matters

Network ACLs matter in real-world IT because they provide a critical layer of defense at the perimeter of your network. In cloud environments like AWS, Azure, and Google Cloud, subnet-level filtering is often the first line of defense against unwanted traffic. For example, if you have a public subnet hosting a web server, you can use a Network ACL to block all traffic from countries or IP ranges that you do not do business with. This reduces the attack surface significantly.

Another practical reason is that Network ACLs are applied to all instances in a subnet automatically. This means you can enforce a baseline security policy without having to configure each individual instance's firewall. For example, if you want to block SSH access (port 22) from the entire internet, you can add a deny rule in the Network ACL, and every instance in that subnet is protected immediately.

Network ACLs are also important for compliance. Many regulatory frameworks require network segmentation and access control at the subnet level. By using Network ACLs, you can demonstrate that you have implemented controls to restrict traffic between different tiers of your application (web, application, database).

because Network ACLs are stateless, they are very fast. They do not need to maintain a state table, so they can handle high volumes of traffic with minimal latency. This makes them suitable for high-throughput environments like data streaming or real-time analytics.

However, the stateless nature also introduces complexity. IT professionals must carefully design rules to ensure that legitimate traffic flows in both directions. A common mistake is to only allow inbound traffic and forget to allow outbound responses. This can cause frustrating connectivity issues that are hard to debug unless you are familiar with how stateless filtering works.

How It Appears in Exam Questions

Network ACL questions on exams usually fall into three main patterns: scenario-based, configuration-based, and comparison-based.

In scenario-based questions, you are given a description of a network environment where traffic is not flowing as expected. For example, you might have a web server in a public subnet with a Security Group that allows HTTP and HTTPS inbound from 0.0.0.0/0. The web server is running but clients cannot access it. The question will list several possible causes, and one of them is that the Network ACL does not have an inbound rule allowing HTTP and HTTPS, or the outbound rule for response traffic is missing. The correct answer is often that the Network ACL's outbound rule does not allow ephemeral ports for responses.

Another scenario might involve a database server in a private subnet that is unreachable from an application server in a public subnet. The Security Groups are correctly configured, but the Network ACL on the private subnet is blocking inbound traffic from the application server's subnet. The question will ask you to identify the root cause.

Configuration-based questions often require you to select a set of rules from multiple choices. For instance, 'Which Network ACL rules would allow HTTPS traffic from the internet to your EC2 instance?' The answer will include an inbound rule with protocol TCP, port 443, source 0.0.0.0/0, and an outbound rule with protocol TCP, port range 1024-65535, destination 0.0.0.0/0.

Comparison-based questions explicitly ask you to identify differences. For example, 'Which of the following is a characteristic of a Network ACL but not a Security Group?' The answer could be 'It supports both allow and deny rules' or 'It is stateless.'

In multi-cloud exam questions, you might be asked to compare AWS Network ACL with Azure NSG. The key difference to remember is that Azure NSGs are stateful by default, while AWS Network ACLs are stateless.

Troubleshooting questions on the CCNA exam often involve a router with an ACL applied to an interface, and you need to determine why a certain host cannot ping another host. You must examine the ACL entries in order and see which rule matches first.

For the CompTIA Security+ exam, you might be asked to recommend a security control for a network segment. If the requirement is to allow only HTTP traffic from a specific IP range, a Network ACL would be an appropriate answer because it supports both allow and deny rules and operates at the subnet level.

Practise Network ACL Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

You are a cloud architect for an e-commerce company. The company hosts a website on AWS using a single EC2 instance in a public subnet. The Security Group for the instance allows inbound HTTP (port 80) and HTTPS (port 443) from anywhere. However, customers report that they can load the homepage, but when they click 'Add to Cart,' the request times out.

You investigate the Network ACL associated with the public subnet. You find that the inbound rules are set correctly: Rule 100 allows HTTP from 0.0.0.0/0, Rule 110 allows HTTPS from 0.0.0.0/0. However, the outbound rules have only one rule: Rule 100 allows all TCP traffic to the internet on port 80 and 443. The problem is that when a customer sends a request, the web server needs to send the response back on a random ephemeral port (like port 34567). Because the outbound rule only allows traffic on ports 80 and 443, the response is blocked by the Network ACL.

To fix this, you add an outbound rule at a lower number (e.g., Rule 90) that allows all TCP traffic from the subnet to the internet on ephemeral ports 1024-65535. After applying this rule, customers can add items to their cart successfully. This scenario illustrates how the stateless nature of Network ACLs requires careful attention to both inbound and outbound rules, even for responses to allowed inbound traffic.

Common Mistakes

Assuming Network ACLs are stateful like Security Groups

Network ACLs are stateless, meaning they do not track connection state. Each packet is evaluated independently, so you need separate rules for incoming and outgoing traffic.

Always verify that both inbound and outbound rules are configured for the traffic you want to allow. If you allow inbound HTTP, also allow outbound traffic on ephemeral ports.

Forgetting to add outbound rules for response traffic

Even if inbound traffic is allowed, the response from your instance will be dropped if the outbound rule does not permit it. This is the most common cause of connectivity issues with Network ACLs.

For every inbound allow rule, add a corresponding outbound allow rule for the response traffic, typically on ephemeral ports (1024-65535) for TCP and UDP.

Placing deny rules before allow rules with lower numbers

Rules are evaluated in order of rule number, starting from the lowest. If a deny rule has a lower number than an allow rule, the traffic is denied before the allow rule is reached.

Assign lower rule numbers to allow rules (e.g., 100, 110) and higher numbers to deny rules (e.g., 32766, 32767). This ensures that legitimate traffic is matched first.

Thinking that a Network ACL overrides a Security Group

Network ACLs and Security Groups work together. Both must allow the traffic for it to reach the instance. A packet can be blocked by either one.

When troubleshooting, check both the Network ACL and the Security Group. If the Network ACL denies the traffic, it never reaches the Security Group check.

Using the same Network ACL for public and private subnets

Public and private subnets have different security requirements. A permissive Network ACL on a private subnet can expose your databases and internal services to unnecessary risk.

Create separate Network ACLs for public and private subnets. The public subnet ACL can have broader inbound rules, while the private subnet ACL should be restrictive.

Exam Trap — Don't Get Fooled

{"trap":"The exam question states: 'An EC2 instance has a Security Group that allows all inbound and outbound traffic. However, the instance cannot receive traffic from the internet. What is the most likely cause?'

Many learners immediately think it is a routing issue or a firewall on the instance itself. The exam trap is that they forget about the Network ACL.","why_learners_choose_it":"Learners often focus on Security Groups because they are more commonly discussed in AWS exam contexts.

They might also assume that a permissive Security Group is enough to allow traffic, overlooking the subnet-level filtering provided by Network ACLs.","how_to_avoid_it":"Always remember the layers of security in a VPC: the Network ACL operates at the subnet boundary, before the Security Group. If a Security Group is permissive but the instance is still unreachable, check the Network ACL inbound and outbound rules.

Also, remember that Network ACLs are stateless, so outbound rules for ephemeral ports are essential."

Commonly Confused With

Network ACLvsSecurity Group

A Security Group is stateful and operates at the instance or elastic network interface level, while a Network ACL is stateless and operates at the subnet level. Security Groups only support allow rules, while Network ACLs support both allow and deny rules.

If you allow inbound HTTP on a Security Group, the response is automatically allowed. With a Network ACL, you must explicitly allow the outbound response traffic.

Network ACLvsRoute Table

A route table controls where network traffic is directed based on destination IP addresses, not whether traffic is allowed. Network ACLs filter traffic based on rules, while route tables determine the path traffic takes.

A route table might send traffic to an internet gateway, but the Network ACL decides if that traffic is permitted to leave the subnet.

Network ACLvsWeb Application Firewall (WAF)

A WAF inspects HTTP/HTTPS traffic at the application layer (Layer 7) to block SQL injection, cross-site scripting, and other web attacks. A Network ACL only filters based on IP addresses, ports, and protocols (Layer 3/4).

A Network ACL can block traffic from a specific IP address, but it cannot detect malicious content in a web request. A WAF can.

Network ACLvsFirewall (on-premises)

Traditional on-premises firewalls are often stateful and can perform deep packet inspection, while cloud Network ACLs are stateless and simpler. On-premises ACLs on routers are similar to Network ACLs but are applied to interfaces rather than subnets.

A corporate firewall might allow a specific user based on their credentials. A Network ACL only inspects packet headers, not user identity.

Step-by-Step Breakdown

1

Check the Network ACL associated with the subnet

In the AWS Console, navigate to VPC > Subnets and select the subnet in question. Under the 'Network ACL' tab, you will see which ACL is associated. This is your starting point for troubleshooting subnet-level filtering.

2

Review inbound rules

Click on the Network ACL ID to view its details. Go to the 'Inbound Rules' tab. Look for a rule that matches the source IP and port of the traffic you expect. If no rule matches, the default deny rule will block the traffic.

3

Review outbound rules

Go to the 'Outbound Rules' tab. Even if inbound traffic is allowed, the response from your instance must match an outbound rule. Typically, you need a rule allowing outbound traffic on ephemeral ports (1024-65535) to the destination of the response.

4

Verify rule order

Rules are processed in numerical order, starting from the lowest number. Ensure that your allow rules have low numbers and your deny rules have higher numbers. If a deny rule with a lower number matches the traffic, it will be denied even if a later allow rule would have permitted it.

5

Check for implicit deny

The last rule in any Network ACL is an asterisk (*) rule that denies all traffic. This rule cannot be modified. If no explicit rule matches the traffic, the implicit deny rule blocks it.

6

Test with a tool like ping or telnet

To confirm your configuration, try to connect to the instance from an external client using ping (ICMP) or telnet (TCP). If the connection fails, check the Network ACL rules for ICMP or the relevant TCP port. Remember that ping requires both inbound and outbound ICMP rules.

7

Check the VPC Flow Logs

If you have VPC Flow Logs enabled, examine the logs to see if the traffic is being allowed or denied by the Network ACL. The 'ACCEPT' or 'REJECT' field in the log entry indicates the action taken by the Network ACL. This helps distinguish between Network ACL blocking and Security Group blocking.

Practical Mini-Lesson

A Network ACL is a powerful tool for network segmentation and traffic filtering in the cloud, but it requires a solid understanding of stateless filtering to use effectively. When you design a VPC architecture, you should plan your Network ACL rules early, because changing them after deployment can affect all instances in the subnet.

First, decide on the principle of least privilege. Start with a custom Network ACL that denies all inbound and outbound traffic by default. Then, add only the rules you need. For a public web server subnet, you might add inbound rules for HTTP (port 80) and HTTPS (port 443) from 0.0.0.0/0, and outbound rules for ephemeral ports to 0.0.0.0/0 so that responses can go back. If you need to allow SSH access for administrators, add a specific inbound rule with your company's public IP range as the source, not 0.0.0.0/0.

One common real-world scenario is to use a Network ACL to block traffic from known malicious IP addresses. For example, if you see repeated brute-force attempts from an IP block, you can add a deny rule at a low number (e.g., Rule 10) to block that IP range. This is faster than blocking at the Security Group level because the traffic is filtered before it reaches the instance, reducing load on the instance's network stack.

Another practical use is to isolate different tiers of an application. For instance, you can put database instances in a private subnet with a Network ACL that only allows inbound traffic from the web server subnet's CIDR on port 3306 (MySQL). This ensures that even if an attacker compromises a web server, they cannot directly access the database from the internet.

However, professionals should be aware of the limitations. Network ACLs do not inspect packet payloads, so they cannot block application-layer attacks like SQL injection. For that, you need a WAF. Also, managing many rules can become complex. AWS recommends using rule numbers that allow for future insertions (e.g., 100, 200, 300). If you fill up rules too tightly, you may need to renumber them, which can be tedious.

What can go wrong? The most common issue is when an engineer modifies the Network ACL and accidentally removes an outbound rule, causing all responses to be dropped. This can cause a complete outage for applications in that subnet. Therefore, always make changes during a maintenance window and test thoroughly.

In exams, you might be asked to design a Network ACL configuration for a three-tier application. The correct approach is to create separate subnets for each tier, associate each subnet with a tailored Network ACL, and ensure that the outbound rules allow responses to come back. Remember: inbound traffic to the web tier from the internet, outbound responses from the web tier, inbound from web to app tier, and outbound responses from app tier back to web tier.

How Network ACL Acts as a Subnet-Level Firewall

A Network Access Control List (Network ACL) is a virtual firewall that operates at the subnet level in an Amazon Virtual Private Cloud (VPC). Unlike security groups, which are stateful and operate at the instance level, Network ACLs are stateless, meaning they evaluate each packet independently without regard to previous traffic. This distinction is critical for cloud practitioners and network engineers, as it impacts how inbound and outbound rules must be configured. Every subnet in a VPC must be associated with a Network ACL; if no custom ACL is specified, the VPC's default Network ACL is used, which allows all inbound and outbound traffic. Custom Network ACLs, however, start with a default deny-all rule, forcing administrators to explicitly define allowed traffic. This behavior is tested heavily in exams like AWS Cloud Practitioner and AWS SAA, where understanding the stateless nature versus security group statefulness is a common trap question.

Network ACLs support both allow and deny rules, ordered by rule number (from 1 to 32766). Rules are evaluated in ascending order, and the first matching rule determines whether traffic is permitted or denied. This is different from security groups, which only have allow rules. The ability to explicitly deny traffic makes Network ACLs a powerful tool for blocking specific IP addresses or ranges at the subnet boundary, a feature often used in distributed denial of service (DDoS) mitigation or when implementing compliance requirements. For example, to block a known malicious IP range, you would add a deny rule with a low rule number before any allow rules. This ordering concept is frequently tested in advanced networking exams such as CCNA and Network+.

When configuring a Network ACL, you must consider both inbound and outbound rules separately. Since it is stateless, if you allow inbound traffic on port 80 from the internet, you must also allow outbound ephemeral traffic (typically ports 1024-65535) for the return response. Misconfiguring this asymmetry is one of the most common causes of connectivity issues in AWS environments. In exams like the Google ACE and AZ-104, scenarios often present a web server that is unreachable despite allowing inbound HTTP, and the correct answer involves adding the appropriate outbound rule to the Network ACL. Understanding this stateless behavior is foundational for cloud architects and network administrators alike, as it directly impacts security posture and troubleshooting efficiency.

The default Network ACL in a VPC allows all inbound and outbound traffic, which may seem overly permissive, but it serves as a baseline to ensure connectivity is not broken inadvertently. However, best practices for production environments mandate creating custom Network ACLs with the principle of least privilege. For example, a web application subnet should allow inbound TCP ports 80 and 443 from 0.0.0.0/0, and outbound ephemeral ports to 0.0.0.0/0. A database subnet should only allow inbound traffic from the web subnet on the database port (e.g., 3306 for MySQL) and deny all other inbound traffic. This layered security approach is a key concept in the Security+ and CCNA exams, where multi-tier architecture security is emphasized. Network ACLs, when combined with security groups, provide defense in depth: the Network ACL acts as a coarse filter at the subnet perimeter, while security groups provide finer-grained control at the instance level.

In practice, Network ACLs are applied to subnets, not to individual instances. This means all instances within a subnet inherit the same Network ACL rules. This is both an advantage (simplifies management) and a limitation (reduces flexibility). For scenarios requiring per-instance rules, security groups must be used. Many exam questions test this distinction by asking which construct to use when a specific set of instances needs different rules than others in the same subnet. The correct answer is always security groups. Network ACLs are also used to create DMZ subnets, where public-facing resources are isolated from internal subnets. By defining strict inbound and outbound rules, administrators can control traffic flow between tiers. Understanding how to design these tiers using Network ACLs is a core objective for the AWS SAA and Google ACE certifications, where VPC design is a major domain.

Advanced topics include using Network ACLs with VPC endpoints or AWS Transit Gateway. In such cases, the ACL rules must account for the IP ranges used by these services, which are often documented in AWS service-specific prefixes. For example, when using a VPC interface endpoint for Amazon S3, you need to add allow rules for the endpoint's IP addresses in the ACL. Neglecting this can result in unexpected connectivity failures, a scenario that appears in AZ-104 and Network+ troubleshooting questions. Network ACLs support rule metrics via Amazon CloudWatch, but only for the number of packets that match each rule. This can help identify traffic patterns or blocked attempts, but it does not provide detailed logs like VPC Flow Logs. The combination of Network ACLs, security groups, and Flow Logs forms a comprehensive monitoring and security framework, a topic that appears across all major cloud and networking certifications.

Stateless Behavior and Ephemeral Ports in Network ACL

The stateless nature of Network ACLs is one of the most important concepts to grasp for anyone working with AWS networking or preparing for certification exams. Unlike security groups, which automatically track connection state and allow return traffic, Network ACLs treat each packet as an independent entity. This means that when an instance initiates a connection to an external host, the outbound packet is evaluated against the outbound rules, and the corresponding inbound response packet must also be explicitly allowed by inbound rules. This is why ephemeral ports become critical. Ephemeral ports are temporary ports used by the client side of a TCP or UDP connection, typically in the range 1024-65535. When an instance sends a request, it uses a random high-numbered port as the source port, and the target server responds to that port. Therefore, the Network ACL's inbound rules must allow traffic on these ephemeral ports from the destination's IP range.

For example, consider an EC2 instance in a private subnet that needs to download updates from the internet via a NAT gateway. The instance sends an outbound request to the update server (say, 1.2.3.4) on port 443 (HTTPS). The outbound rule must allow destination port 443. But when the update server responds, it will send packets to the instance's IP address on the ephemeral port that the instance used (e.g., 34567). The Network ACL must have an inbound rule allowing traffic from the update server IP range on ephemeral ports 1024-65535 (or a more restricted range like 32768-65535, which is commonly used by Linux and Windows systems). Failure to include this inbound rule will result in the instance never receiving the response, even though the outbound request is allowed. This asymmetry is a classic exam scenario in the AWS Cloud Practitioner, AWS SAA, and Security+ exams, where candidates must identify why a connection is failing despite seemingly correct rules.

The ephemeral port range used by AWS depends on the operating system. For Amazon Linux, Ubuntu, and most Linux distributions, the range is 32768-60999. For Windows Server, it is typically 49152-65535. To be safe and avoid cross-OS issues, many administrators use 1024-65535 in their Network ACL rules. But for certification purposes, knowing the specific ranges can appear in advanced questions for AWS SAA or Network+. Some Network ACL configurations must account for the fact that a NAT gateway uses specific ephemeral ports. The NAT gateway itself is managed by AWS, but its behavior still requires proper ACL rules in the private subnet. If the private subnet's Network ACL does not allow inbound ephemeral traffic from the NAT gateway's elastic IP addresses (or the internet gateway's IP ranges), traffic will fail. This layered scenario tests deep understanding of how stateless filtering works across multiple components.

In practice, when designing Network ACL rules for internet-facing subnets, you must create symmetric rules. For inbound web traffic, allow source ports ephemeral for the response, but the common pattern is: inbound rules allow specific ports (80, 443) from any source, and outbound rules allow all traffic to any destination. This is considered acceptably secure because the outbound rule allows the instance to respond to any requested connection. However, for more restrictive environments, you might limit outbound traffic to only necessary destinations. For example, an application server that only needs to talk to a database server and the internet for updates would have outbound rules specific to the database's IP and the update server's IP. This precision reduces the attack surface, a concept emphasized in the CompTIA A+ and Security+ curricula.

The stateless behavior also affects how Network ACLs handle ICMP traffic. For ping (ICMP Echo Request and Echo Reply), both the inbound and outbound rules must explicitly allow the ICMP protocol type. Since ICMP does not use ports, the rules must specify the ICMP type and code (type 8 for Echo Request, type 0 for Echo Reply). Many administrators mistakenly only add an inbound rule allowing ICMP, forgetting that the outbound rule also needs to allow the reply. This is a common troubleshooting scenario in CCNA and Network+ labs, where ping works from one direction but not the other. In the AWS world, the same principle applies. Understanding these nuances is essential for passing the AZ-104 exam for Azure administrators transitioning to AWS, as Azure also uses stateless ACLs (NSGs) with similar concepts, though NSGs are stateful by default but can be made stateless via application security groups.

Finally, memorizing the ephemeral port ranges and stateless rule design is not just for exams-it directly impacts real-world deployments. Misconfigurations here are among the top reasons for network troubleshooting tickets in cloud environments. Many cloud engineers have spent hours debugging an issue only to find that the Network ACL was blocking the return traffic. By internalizing the stateless model, administrators can quickly diagnose and resolve such problems. In advanced certifications like AWS DevOps Engineer or Networking Specialty, scenarios often present a VPC peering connection that works intermittently, and the root cause is a missing ephemeral port rule in one of the peer VPC's ACLs. Thus, mastering this concept is both exam-critical and career-critical.

Key Differences Between Network ACL and Security Group

Understanding the differences between Network ACLs and security groups is a cornerstone of AWS networking knowledge, appearing in every major cloud certification exam, including AWS Cloud Practitioner, AWS SAA, Google ACE, and AZ-104. These two constructs serve overlapping but distinct security functions within a VPC, and confusing them is a common source of errors. The most fundamental difference is statefulness: security groups are stateful, meaning they automatically allow return traffic regardless of outbound rules, while Network ACLs are stateless and require explicit rules for both directions. This single difference affects everything from rule complexity to troubleshooting approaches. For example, if you create a security group that allows inbound HTTPS from the internet, you do not need to add an outbound rule for the response; the security group automatically tracks the connection. With a Network ACL, you must add an outbound rule allowing ephemeral ports. This is why security groups are generally recommended for per-instance control, while Network ACLs are better for broader subnet-level filtering.

Another critical difference is rule structure: security groups support only allow rules, while Network ACLs support both allow and deny rules. This means you cannot explicitly block an IP address using a security group; you would instead not include it in the allow rules (implicit deny). With a Network ACL, you can add a deny rule to block specific traffic, which is useful for implementing blacklists or handling compliance requirements. This distinction is frequently tested in Security+ and CCNA exams, where scenarios involve blocking a specific IP range while allowing others. The ability to deny traffic makes Network ACLs a powerful tool for network segmentation and DDoS mitigation at the subnet boundary. However, because security groups are easier to manage and less prone to misconfiguration, they are often the default recommendation for most use cases.

Rule evaluation order also differs. Security groups evaluate all rules together; if a packet matches any allow rule, it is permitted (unless the connection is already tracked). Network ACLs evaluate rules in numeric order, from lowest to highest, and the first match determines the outcome. This means you can deliberately place a deny rule with a low number to block traffic before it reaches an allow rule with a higher number. This ordering is a common exam trap: candidates might think that a higher-numbered allow rule will override a lower-numbered deny rule, but in reality, the first matching rule wins. In the AWS SAA exam, a typical question might present a Network ACL with a deny rule for a specific IP at rule 100 and an allow rule for all traffic at rule 200. The answer is that the IP is blocked because rule 100 is evaluated first. Understanding this nuance is essential for passing both AWS and Azure certification exams (Azure NSGs also have priority-based rules).

Scope of application is another differentiator. Security groups are associated with ENIs (Elastic Network Interfaces) attached to instances, so they operate at the instance level. Network ACLs are associated with subnets, so they apply to all instances within that subnet. This means if you need different rules for different instances in the same subnet, you must use security groups. Conversely, if you want to enforce a uniform policy across all instances in a subnet (e.g., block SSH from the internet), a Network ACL is more efficient. Many organizations use a combination: security groups for granular control, and Network ACLs as a safety net to block obviously malicious traffic. This layered approach is emphasized in the Security+ and CCNA curricula, where defense in depth is a key principle.

Behavior with VPC traffic also differs. Security groups can reference other security groups as sources or destinations, enabling easy cross-tier allow rules (e.g., allow traffic from the web security group to the database security group). Network ACLs cannot use security group references; they only support CIDR blocks, IP addresses, or DNS names. This means ACL rules are less dynamic and require more manual updates when IP addresses change. In the Google ACE exam, this limitation is often highlighted when discussing complex architectures with autoscaling groups where IPs change frequently. Security groups support allow rules for both inbound and outbound, but Network ACLs require separate rule tables for each direction. This duplication can increase management overhead, especially in large VPCs with many subnets.

Finally, performance and default configurations differ. Security groups have a default rule that allows all outbound traffic for new groups, and they deny all inbound traffic unless explicitly allowed. The default Network ACL, on the other hand, allows all inbound and outbound traffic, which is more permissive. Custom Network ACLs start with an implicit deny-all rule. This difference often leads to security misconfigurations when users create a custom ACL and forget to add allow rules, resulting in all traffic being denied. In exams like the AZ-104 and Cloud Practitioner, questions about default behaviors are common, testing whether candidates know that the default ACL is permissive while the default security group is restrictive. Mastering these distinctions is not only exam-critical but vital for real-world secure VPC design.

Network ACL Rule Numbering and Evaluation Order

Network ACL rule numbering is a fundamental concept that governs how traffic is allowed or denied at the subnet level. Each Network ACL rule is assigned a unique number between 1 and 32766, and AWS evaluates rules in ascending order starting from the lowest number. The first rule that matches the traffic determines whether the packet is permitted or denied. If no rule matches, the default implicit deny rule (rule number *) applies, which blocks all traffic. This numeric ordering is a key feature that distinguishes Network ACLs from security groups, where all rules are evaluated simultaneously. Understanding this ordering is essential for designing effective security policies, and it is a frequent topic in exams such as the AWS SAA, Network+, and AZ-104.

Why does this matter? Because the order of rules can either make or break your security posture. For example, suppose you want to allow HTTP (port 80) traffic from the internet to your web servers but block traffic from a specific malicious IP address (1.2.3.4). If you place the allow rule (rule 100: allow 0.0.0.0/0 port 80) before the deny rule (rule 200: deny 1.2.3.4 port 80), the malicious IP's traffic will be allowed because rule 100 matches first. To block the IP, you must place the deny rule with a lower number (e.g., rule 10: deny 1.2.3.4 port 80) and then the allow rule with a higher number (e.g., rule 20: allow 0.0.0.0/0 port 80). This logical placement is exactly how on-premises firewalls work, which is why CCNA and Network+ exams test this ordering principle heavily. In the AWS world, many beginners incorrectly assume that deny rules always override allow rules, but the truth is that the first matching rule wins, regardless of whether it is allow or deny.

Best practices for rule numbering include leaving gaps between rule numbers. This allows you to insert new rules in the future without having to renumber existing ones. For example, use rule numbers like 10, 20, 30, and so on. If you later need to block a new IP, you can add a rule at number 15 without shifting other rules. AWS does not support auto-renumbering, so if you fill all available numbers, you must either delete and recreate rules or manage them via API with manual numbering. This operational aspect is often tested in AWS certification scenarios where candidates must plan for future rule additions without disrupting current traffic.

Another important detail is that Network ACL rules have a star (*) entry as the default rule, which is always implicitly at the end and denies all traffic. You cannot modify or delete this default deny. This means if you remove all custom rules from a Network ACL, all traffic will be denied by default. In contrast, the default Network ACL (which is automatically created for each VPC) has a rule that allows all inbound and outbound traffic. This default ACL is often a confusing point in the Cloud Practitioner exam: the default ACL is permissive, but custom ACLs start with implicit deny. Understanding this subtlety can help answer questions about why a newly created subnet that uses a custom ACL has no connectivity.

Rule numbering also matters when troubleshooting connectivity issues. If traffic is unexpectedly blocked, you can check the Network ACL rule evaluation order by looking at the CloudWatch metrics for each rule. AWS provides a metric called "Packets" for each rule entry, which increments when a packet matches that rule. If you see packets hitting a deny rule, you know exactly which rule is blocking the traffic. Conversely, if packets match an allow rule but the traffic still fails, the issue might be in the corresponding rule for the return direction (statelessness). This metric-based debugging is a skill tested in practical exam scenarios for AWS Networking Specialty and DevOps Engineer.

In multi-tier architectures, rule ordering becomes even more critical. For example, in a web and database tier separated by private subnets, you might have a Network ACL on the database subnet that allows inbound traffic only from the web subnet's IP range on port 3306 (MySQL). The rule number for this specific allow should be lower than any broader allow or deny rules. If you have a catch-all deny rule at a higher number, you must ensure the specific allow rule is placed with a lower number. This is a common pass-or-fail scenario on the SAA exam: a question may describe a database that cannot be reached from the web tier, and the fix is to reorder the ACL rules so that the specific allow rule precedes any general deny.

Finally, note that each Network ACL can have a maximum of 20 inbound rules and 20 outbound rules by default, though this limit can be increased by requesting a quota increase. Rule numbers must be unique within each direction (inbound or outbound). The rule number cannot overlap between inbound and outbound because they are separate lists. When using the AWS Management Console, the interface enforces a step of 10 for rule numbers, but you can set any integer via CLI or SDK. For certification exams, you should remember that the valid range is 1 to 32766 and that lower numbers have higher precedence. By internalizing this ordering logic, you'll be well-prepared for both real-world configurations and exam questions across multiple platforms.

Troubleshooting Clues

Web server not accessible from internet despite security group allowing HTTP

Symptom: TCP connection timeout when trying to reach the web server's public IP on port 80 or 443.

The stateless Network ACL likely does not have an outbound rule for ephemeral ports. Inbound HTTP is allowed, but the return response from the server uses a random high port, which is blocked by the default deny outbound rule.

Exam clue: Classic SAA and Cloud Practitioner question: 'A web server is unreachable. Security group shows port 80 allowed. What is the most likely cause?' Correct answer: missing outbound ephemeral rule in the Network ACL.

Ping (ICMP) works in one direction only

Symptom: An instance can ping the internet, but cannot receive ping replies from outside. Or one subnet can ping another but not the reverse.

ICMP requires both inbound and outbound rules. For ping (Echo Request and Echo Reply), the ACL must allow ICMP type 8 (Echo Request) and type 0 (Echo Reply) in both directions. If only inbound is configured, the reply is blocked.

Exam clue: Network+ and CCNA exam questions often present ICMP failure scenarios testing the stateless nature of ACLs. Answer focuses on missing outbound ICMP rule.

Application server cannot connect to database server in different subnet

Symptom: Application throws a connection timeout when trying to reach the database on port 3306 or 5432, but the database security group allows the app server.

The database subnet's Network ACL likely does not have an inbound rule allowing traffic from the app subnet on the database port. Or the app subnet's ACL does not have an outbound rule allowing traffic to the database subnet.

Exam clue: Frequent in SAA and AZ-104 multi-tier architecture questions. Traps candidates into thinking security group is the only issue, ignoring ACLs.

After creating a custom Network ACL and associating it, all instances lose connectivity

Symptom: No inbound or outbound traffic works for instances in that subnet. Instances are unreachable even from same VPC.

Custom ACLs have an implicit deny-all rule by default. If you created the ACL and associated it without adding any allow rules, all traffic is blocked. You must add rules for at least necessary ports (e.g., VPC internal traffic, ephemeral ports).

Exam clue: Common mistake tested in Cloud Practitioner and A+ exams: default behavior of custom vs default ACL. The question states 'created a new ACL and now no connectivity' and the answer is missing allow rules.

Blocked IP address still reaches the instance

Symptom: IP address 5.6.7.8 is supposed to be blocked by a deny rule, but traffic from that IP still gets through.

The deny rule for 5.6.7.8 has a higher rule number than an allow rule that matches all traffic. Rules are evaluated in order from low to high. Since the allow rule has a lower number, it matches first and permits the traffic.

Exam clue: Network+ and Security+ questions test rule ordering. A typical scenario: 'tried to block an IP but it still works; what is wrong?' Answer: the deny rule number is higher than the allow rule.

VPC peering connection works intermittently

Symptom: Traffic between two peered VPCs succeeds sometimes but fails at other times. The peering route table looks correct.

The Network ACLs in one of the VPCs are missing inbound rules for the ephemeral ports used by the other VPC's CIDR. Since stateless, each direction must be explicitly allowed. If the ephemeral port range is not covered, some connections will fail.

Exam clue: This scenario appears in advanced AWS Networking Specialty exams and occasionally in SAA. Tests deep understanding of statelessness across VPC boundaries.

High packet loss for FTP data transfer

Symptom: Active FTP connections fail during data transfer (PORT command) but control connection works. Passive FTP works partially.

FTP uses separate ports for data and control. Active FTP uses a random high port as source for data connection, which may be blocked by the Network ACL. Passive FTP uses the server's high ports, but the ACL must allow inbound traffic on those ports. Missing rules cause packet drops.

Exam clue: Cisco CCNA and Network+ exams often use FTP scenarios to test knowledge of dynamic port behavior and ACL configuration. AWS exams may present similar with security groups and ACLs.

Memory Tip

Think 'SAD', Subnet level, Allow and Deny, and Stateless. Network ACL is the 'SAD' firewall at the subnet edge.

Learn This Topic Fully

This glossary page explains what Network ACL means. For a complete lesson with labs and practice, see the topic guide.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Legacy Exam Context

Older materials may mention these exam versions, but learners should use the current objectives for their target exam.

N10-008N10-009(current version)
SY0-601SY0-701(current version)

Related Glossary Terms

Quick Knowledge Check

1.A VPC has a custom Network ACL for the public subnet. The inbound rules allow HTTP (port 80) and HTTPS (port 443) from 0.0.0.0/0. The outbound rules allow all traffic to 0.0.0.0/0. Users report they cannot connect to the web server. The security group for the EC2 instance allows HTTP and HTTPS from 0.0.0.0/0. What is the most likely cause?

2.An administrator created a custom Network ACL and associated it with a subnet. Immediately, all instances in that subnet lost network connectivity. What is the most likely reason?

3.You need to block traffic from IP 203.0.113.50 to the web servers in a public subnet while allowing all other HTTP traffic. Which rule configuration should you use?

4.Which statement correctly compares Network ACLs and security groups?

5.An EC2 instance fails to download packages from the internet (e.g., yum update). The instance is in a private subnet with a NAT gateway. The security group allows outbound HTTPS and HTTP. The Network ACL for the private subnet has inbound rules allowing HTTPS, HTTP, and ephemeral ports from the NAT gateway's IP. What is the most likely problem?

Frequently Asked Questions

What is the difference between a Network ACL and a Security Group?

A Network ACL is stateless and operates at the subnet level, supporting both allow and deny rules. A Security Group is stateful, operates at the instance level, and only supports allow rules. Both must permit traffic for it to reach an instance.

Can I assign the same Network ACL to multiple subnets?

Yes, a single Network ACL can be associated with multiple subnets within the same VPC. However, each subnet can only be associated with one Network ACL at a time.

Why is my EC2 instance unreachable even though the Security Group allows all traffic?

The Network ACL on the subnet might be blocking the traffic. Check that the inbound rule allows the traffic from the source, and that the outbound rule allows the response traffic (especially for ephemeral ports).

What are ephemeral ports and why do they matter in Network ACLs?

Ephemeral ports are temporary port numbers in the range 1024-65535 used by clients for receiving responses. When a server sends a response, it uses a random ephemeral port. The Network ACL must have an outbound rule allowing these ports for the response to reach the client.

Can I edit the default Network ACL?

Yes, you can modify the rules of the default Network ACL. By default, it allows all inbound and outbound traffic. You can add deny rules or remove allow rules to make it more restrictive.

Does a Network ACL affect traffic within the same subnet?

No, Network ACLs only filter traffic crossing the subnet boundary (inbound from outside the subnet or outbound to outside the subnet). Traffic within the same subnet is not evaluated by the Network ACL.

How many rules can I add to a Network ACL?

By default, you can have up to 20 inbound rules and 20 outbound rules per Network ACL. This limit can be increased by requesting a limit increase from AWS Support.

Summary

A Network ACL is a critical security component in cloud networking that filters traffic at the subnet level. It is stateless, meaning it treats each packet independently and requires separate rules for inbound and outbound traffic. This distinguishes it from Security Groups, which are stateful. Network ACLs support both allow and deny rules, making them useful for blocking specific IP addresses or entire ranges.

In IT certification exams, Network ACLs appear in scenario-based questions where connectivity is broken due to missing outbound rules or incorrect rule ordering. The concept is tested across AWS, Azure, CompTIA, and Cisco exams, each with slight variations. Understanding the stateless nature is the key to avoiding the most common exam traps.

For real-world practice, always start with a deny-all custom Network ACL and add only the rules you need. Remember to include outbound rules for ephemeral ports when allowing inbound traffic. Avoid using the same Network ACL for public and private subnets, as this can compromise security.

The main takeaway for exam success: when you see a question about a subnet that cannot communicate with the internet or another subnet, immediately think about the Network ACL's inbound and outbound rules, especially the ephemeral port range.