I have a ACL inbound rule as given below diagram.

As per ACL rule, it should start processing lowest rule number to highest. Rule number 100 says allows all traffic from IP x.x.x.x. But then next rule 400 says, Deny all traffic from IP x.x.x.x. Since rule 400 is the second rule that applied, does it Deny the traffic from x.x.x.x? In my case, it actually allow all traffic from x.x.x.x.

CodePudding user response：

Rules for an AWS NACL are evaluated starting with the lowest numbered rule. Even though the rule number 400 contradicts rule number 100, all traffic will still be allowed from the source IP.

https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html#nacl-rules

CodePudding user response：

AWS NACL validates the rules in ascending order if a one rule is validated all the other rules will be ignored

If rule 100 allows x.x.x.x it is validated first and the traffic is allowed if you want to block the traffic for x.x.x.x opt for a smaller rule number

CodePudding user response：

Got an answer here
https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/VPC/network-acl-deny-rules.html

"As soon as an NACL rule matches traffic, it's applied regardless of any higher-numbered rule that might contradict it. Therefore, the order of the DENY rules within your Network ACLs is crucial. A DENY rule is considered "ineffective" if an existing ALLOW rule with the same traffic parameters has a higher priority (lower rule number), because the ALLOW rule will override and ignore the DENY rule during evaluation. In order to be effective, ensure that the DENY rules designed to restrict traffic via certain ports, IP ranges, or protocols are placed at a higher priority (lower rule number) than the associated ALLOW rules."