Question:
What is a Network ACL (Access Control List) in Amazon VPC, and what is its primary function?
Options:
a. A network ACL is a firewall that controls traffic to and from subnets in a VPC.
b. A network ACL is a load balancer that distributes traffic between EC2 instances in a VPC.
c. A network ACL is a tool for managing DNS entries within a VPC.
d. A network ACL is a routing table that determines how traffic is directed within a VPC.
Correct Answer:
✅ Option a: A network ACL is a firewall that controls traffic to and from subnets in a VPC.
Explanation:
A Network ACL (NACL) in Amazon Virtual Private Cloud (VPC) acts as a stateless firewall that controls inbound and outbound traffic at the subnet level. It consists of a set of rules that either allow or deny traffic based on factors such as IP address, protocol, and port number.
- Unlike security groups, which operate at the instance level and are stateful (they remember previous connections), Network ACLs are stateless. This means that if you allow inbound traffic, you must also explicitly allow outbound traffic for the same connection.
- Network ACLs are useful for providing an extra layer of security for subnets within a VPC.
- Each subnet in a VPC must be associated with a single Network ACL, and by default, it comes with a default network ACL that allows all inbound and outbound traffic.
Why Other Options Are Incorrect?
❌ Option b: A network ACL is not a load balancer. Load balancers, such as Elastic Load Balancer (ELB), distribute traffic across multiple EC2 instances to improve availability and scalability.
❌ Option c: A network ACL does not manage DNS entries. DNS management in AWS is handled by Amazon Route 53, which provides domain name resolution.
❌ Option d: A network ACL is not a routing table. Routing tables in Amazon VPC determine how traffic is directed between subnets, internet gateways, and VPN connections.
Key Points to Remember:
✅ Network ACLs operate at the subnet level and act as a firewall.
✅ They are stateless, meaning each request is evaluated separately.
✅ They allow or deny traffic based on rules that apply to all instances in a subnet.
✅ Security groups are different from NACLs, as they are stateful and apply at the instance level.