Network ACL

ACLs da rede Basics

• Your VPC does not come with a ACLs da rede, but you can create a ACLs da rede and associate it with a VPC subnet if required. By default, each ACLs da rede denies all inbound traffic to and outbound traffic from the associated subnet until you add rules.
• You can associate a ACLs da rede with multiple subnets. However, a subnet can only be associated with one ACLs da rede at a time.
• Each newly created ACLs da rede is in the Inactive state until you associate subnets with it.
• ACLs da rede are stateful. If the ACLs da rede allows outbound traffic and you send a request from your instance, the response traffic for that request is allowed to flow in regardless of inbound ACLs da rede rules. Similarly, if inbound traffic is allowed, responses to allowed inbound traffic are allowed to flow out, regardless of outbound rules.

  The timeout period of connection tracking varies according to the protocol. The timeout period of a TCP connection in the established state is 600s, and the timeout period of an ICMP connection is 30s. For other protocols, if packets are received in both directions, the connection tracking timeout period is 180s. If one or more packets are received in one direction but no packet is received in the other direction, the connection tracking timeout period is 30s. For protocols other than TCP, UDP, and ICMP, only the IP address and protocol number are tracked.

Default regra de ACLs da rede

By default, each ACLs da rede has preset rules that allow the following packets:

• Packets whose source and destination are in the same subnet.
• Broadcast packets with the destination 255.255.255.255/32, which is used to configure host startup information.
• Multicast packets with the destination 224.0.0.0/24, which is used by routing protocols.
• Metadata packets with the destination 169.254.169.254/32 and TCP port number 80, which is used to obtain metadata.
• Packets from CIDR blocks that are reserved for public services (for example, packets with the destination 100.125.0.0/16).
• A ACLs da rede denies all traffic in and out of a subnet excepting the preceding packets. Tabela 1 shows the default rules. You cannot modify or delete the default rules.

  Tabela 1 Default regra de ACLs da rede

  Direction	Priority	Action	Protocol	Source	Destination	Description
  Inbound	*	Deny	All	0.0.0.0/0	0.0.0.0/0	Denies all inbound traffic.
  Outbound	*	Deny	All	0.0.0.0/0	0.0.0.0/0	Denies all outbound traffic.

Rule Priorities

• Each ACLs da rede rule has a priority value where a smaller value corresponds to a higher priority. Any time two rules conflict, the rule with the higher priority is the one that gets applied. The rule whose priority value is an asterisk (*) has the lowest priority.
• If multiple regra de ACLs da rede conflict, only the rule with the highest priority takes effect. If you need a rule to take effect before or after a specific rule, you can insert that rule before or after the specific rule.

Application Scenarios

• If the application layer needs to provide services for users, traffic must be allowed to reach the application layer from all IP addresses. However, you also need to prevent illegal access from malicious users.

  Solution: You can add regra de ACLs da rede to deny access from suspect IP addresses.

• How can I isolate ports with identified vulnerabilities? For example, how do I isolate port 445 that can be exploited by WannaCry worm?

  Solution: You can add regra de ACLs da rede to deny access traffic from a specific port and protocol, for example, TCP port 445.

• No defense is required for the communication within a subnet, but access control is required for communication between subnets.

  Solution: You can add regra de ACLs da rede to control traffic between subnets.

• For frequently accessed applications, a security rule sequence may need to be adjusted to improve performance.

  Solution: A ACLs da rede allows you to adjust the rule sequence so that frequently used rules are applied before other rules.