Network Access Control Lists (NACLs) provide subnet-level security by controlling both inbound and outbound traffic. NACLs complement Security Groups, adding an additional layer of protection for SAP workloads across public and private subnets.
Key benefits:
- Stateless filtering at the subnet level.
- Adds east-west and north-south traffic control.
- Enhances compliance and security monitoring.
Objective
- Implement NACLs to restrict traffic per subnet in each VPC.
- Protect both public-facing and internal SAP workloads.
- Provide an additional layer of security beyond Security Groups.
Design Overview:
Default AWS NACLs: Allow all inbound/outbound traffic by default.
Custom NACLs:
- Apply specific rules per subnet.
- Stateless: define both inbound and outbound rules.
- Restrict access according to environment, workload, and subnet type.
- Control traffic entering/exiting subnets.
- Provide subnet-level protection for SAP workloads and shared services.
Technical Implementation Steps
Step 1: Create Custom NACLs
VPC Console → Network ACLs → Create NACL:
NACL Name VPC Subnet Type
Prod-Public-NACL VPC-Prod Public
Prod-App-NACL VPC-Prod App Private
Prod-DB-NACL VPC-Prod DB Private
CLI: aws ec2 create-network-acl --vpc-id vpc-0a1b2c3d --tag-specifications 'ResourceType=network-acl,Tags=[{Key=Name,Value=Prod-Public-NACL}]'
Step 2: Public Subnet NACL Rules (Bastions/NAT/Firewalls)
Inbound (100-199):
Rule # Type Protocol Port Range Source Description
100 SSH TCP 22 203.0.113.0/24 Corporate VPN
110 HTTPS TCP 443 0.0.0.0/0 Admin access
DENY All All All 0.0.0.0/0 Block all else
Outbound (100-199):
Rule # Type Protocol Port Range Destination Description
100 Custom TCP TCP 1024-65535 0.0.0.0/0 Ephemeral reply
110 Custom TCP TCP 3200-3299 10.0.1.0/24 SAP App servers
DENY All All All 0.0.0.0/0 Block all else
Step 3: Private App Subnet NACL Rules (SAP Application Servers)
Inbound:
Rule # Type Protocol Port Range Source Description
100 Custom TCP TCP 3300-3399 10.0.0.0/24 Public subnet
110 Custom TCP TCP 50000-59999 10.0.4.0/24 HANA DB
DENY All All All 0.0.0.0/0
Outbound:
Rule # Type Protocol Port Range Destination Description
100 Custom TCP TCP 1024-65535 10.0.0.0/24 Public reply
110 Custom TCP TCP 30015 10.0.4.0/24 HANA reply
DENY All All All 0.0.0.0/0
Step 4: Private DB Subnet NACL Rules (SAP HANA)
Inbound:
Rule # Type Protocol Port Range Source Description
100 Custom TCP TCP 30015 10.0.1.0/24 App servers
110 Custom TCP TCP 30017 10.0.1.0/24 HANA replication
DENY All All All 0.0.0.0/0
Step 5: Associate NACLs with Subnets
VPC Console → Subnets → Select subnet → Actions → Edit subnet associations → Select NACL.
CLI: aws ec2 associate-network-acl --network-acl-id acl-0a1b2c3d --subnet-id subnet-0a1b2c3d
Step 6: Enable VPC Flow Logs
Monitor NACL accepts/rejects:
CloudWatch Logs → VPC Flow Logs → Create for subnet → Filter action=REJECT.
NACL Architecture
Rule Numbering Strategy
100-199: Allow essential traffic
200-299: Allow management/monitoring
DENY: Block all else (lowest priority)
Rule *** (lowest): Allow established/related
Best Practices
Environment-Specific: Stricter Prod NACLs vs permissive Sandbox.
Rule Order: Lowest number = highest priority.
Ephemeral Ports: Always allow 1024-65535 for return traffic.
Testing: Use telnet or nc to validate before production.
Automation: CloudFormation/Terraform for consistent NACLs.
Quick Validation Commands
# Test SSH to bastion
nc -zv bastion.example.com 22
# Test SAP HANA port from app subnet
nc -zv hana-db.internal 30015
No comments:
Post a Comment