Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Doc | User-guide: Add Nework ACL section #198

Merged
merged 2 commits into from
Dec 6, 2023
Merged

Doc | User-guide: Add Nework ACL section #198

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
841c252
feat(user-guide): add nework acl section
rodriguez-matias Nov 6, 2023
6d5a2f9
fix(user-guide):update info about NACL.
rodriguez-matias Nov 20, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
51 changes: 51 additions & 0 deletions docs/user-guide/ref-architecture-aws/features/network/network-nacl.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
# AWS Network Access Control List (NACLs)
AWS Network Access Control Lists (NACLs) sevice it's crucial to implement robust security measures within your AWS environment.

## How it works
Network Access Control Lists (NACLs) act as a virtual firewall for your AWS VPC (Virtual Private Cloud), controlling inbound and outbound traffic at the subnet level. They operate on a rule-based system, allowing or denying traffic based on defined rules.


## Default vs Custom NACLs

##### Default NACLs:
- This NACL allows all inbound and outbound traffic by default. It serves as a basic level of security, ensuring that your resources can communicate within the VPC and to the internet.

##### Dedicated NACLs:
- Dedicated NACLs are manually created and associated with a specific subnet within your VPC. They offer a higher level of customization and control over the traffic flow. This means you can tailor the rules to meet your specific security requirements for your workload and applications

## Pros and Cons:
#### Default NACL
##### **Pros:**

1. *Convenience:* They are automatically created with each new VPC, saving time during the initial setup.
1. *Basic Protection:* Provides a baseline level of security for your VPC resources.

##### **Cons:**

1. *Limited Customization:* Offers less flexibility in terms of rule configuration.
1. *Less Granular Control:* May not meet specific security requirements for complex environments.


#### Custom Dedicated NACLs

##### Pros:
1. *Granular Control:* Allows for fine-tuning of inbound and outbound traffic rules.
1. *Enhanced Security:* Provides the ability to create custom rules for specific resources and subnets.
1. *Isolation:* Allows you to isolate specific subnets for added security.

##### Cons:
1. *Manual Configuration:* Requires manual creation and association with subnets, which can be time-consuming.
1. *Potential Complexity:* If not properly configured, it may lead to unintended connectivity issues.


## Best practices and recomendations
- [x] Given the recurrent challenges and complications associated with NACLs, especially during real-time troubleshooting, a safer default approach is to have them disabled by defualt. This ensures a smoother experience for most users while still providing the flexibility to enable NACLs when necessary.
rodriguez-matias marked this conversation as resolved.
Show resolved Hide resolved
- [x] Periodically assess and update your NACL rules to ensure they align with your evolving security requirements.
- [x] Users or tech leads wishing to enable custom dedicated NACLs must undergo an explicit approval process.
- [x] Feedback mechanisms should be in place to inform users of the status of NACLs and any associated permissions.
- [x] Comprehensive testing should be conducted to ensure that the default disabling of NACLs does not introduce new issues.
- [x] Enable logging for your NACLs to gain visibility into traffic patterns and potential security incidents.


## Conclusion
AWS Network Access Control Lists (NACLs) are a fundamental aspect of securing your VPC. While default NACLs provide a basic level of security, dedicated NACLs offer greater customization and control. By combining these measures and following best practices, you can establish a robust security framework within your AWS environment
4 changes: 3 additions & 1 deletion mkdocs.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -166,7 +166,7 @@ nav:
- Configure the Management account: "try-leverage/management-account.md"
- Configure the Security and Shared accounts: "try-leverage/security-and-shared-accounts.md"
- Post-deployment: "try-leverage/post-deployment.md"
- Add more AWS Accounts: "try-leverage/add-aws-accounts.md"
- Add more AWS Accounts: "try-leverage/add-aws-accounts.md"

- Concepts:
- Index: "concepts/index.md"
Expand Down Expand Up @@ -218,6 +218,8 @@ nav:
- VPC Traffic Out: "user-guide/ref-architecture-aws/features/network/vpc-traffic-out.md"
- DNS: "user-guide/ref-architecture-aws/features/network/dns.md"
- Transit Gateway: "user-guide/ref-architecture-aws/features/network/tgw-topology.md"
- Network ACLs (NACLs): "user-guide/ref-architecture-aws/features/network/network-nacl.md"

- Secrets: "user-guide/ref-architecture-aws/features/secrets/secrets.md"
- Compute:
- Overview: "user-guide/ref-architecture-aws/features/compute/overview.md"
Expand Down
Loading