Search code examples
amazon-web-servicesamazon-vpc

What is the diference between Network ACL and Route Tables in AWS?

I don't find easily the difference between those AWS VPC options.

Solution

  • A Network Access Control List (Network ACL, or NACL) is a firewall for a subnet.

    All traffic entering or exiting a subnet is checked against the NACL rules to determine whether the traffic is allowed in/out of the subnet.

    Traffic between instances within the same subnet do not pass through a NACL because the traffic is not exiting the subnet.

    NACL rules are executed in a defined order. The first rule that matches the traffic will determine whether the traffic is allowed or denied.

    Typically, NACLs are left at their default value of permitting all traffic. You should never have a need to modify a NACL unless you have a specific need, such as:

    • Created a DMZ
    • Blocking specific types of traffic to all resources (eg blocking ICMP PING)
    • Blocking specific IP addresses that are performing DDOS attacks

    A Route Table is used to direct traffic in/out of a subnet. It contains a number of CIDRs (IP address ranges) and where to direct the appropriate traffic.

    For example:

    • Traffic for the Internet (0.0.0.0/0) is usually:
      • Sent to an Internet Gateway if the Route Table is associated with a public subnet
      • Sent to a NAT Gateway if the Route Table is associated with a private subnet
    • Traffic for a Peered VPC is sent across a VPC Peering connection

    It literally routes the traffic to the correct destination.

    Want to know what makes a Public Subnet 'public'? It is the fact that the Route Table sends Internet-bound traffic to 0.0.0.0/0.

    Traffic is sent to the smallest CIDR range that matches the destination. So, traffic matching 10.1.0.0/16 would be directed before traffic matching 0.0.0.0/0.