问题
With my understanding, NACL (Network Access Control List) is the subnet firewall.
I'm trying to understand what are the defaults when creating a NACL:
- Rule #100 - all ports from all IPs are allowed by default, otherwise
- All is denied
So, bottom line, is all allowed or denied? I know that according to AWS best practices, all access should be disabled by default.
回答1:
The rules are evaluated in number order.
As soon as the traffic matches the rule, the Allow/Deny is applied and evaluation ends.
Therefore, the default rule that you show above Allows all traffic. Nothing falls through to the default rule.
This numbered logic is handy for something like this, that denies ICMP traffic, then allows everything else:
Here's one that uses the default rule to only allow HTTPS:
来源:https://stackoverflow.com/questions/45296616/amazon-vpc-nacl-default-rules-evaluation-order