What is the diference between Network ACL and Route Tables in AWS?

Question

I don't find easily the difference between those AWS VPC options.

Answer 1

A Network Access Control List (Network ACL, or NACL) is a firewall for a subnet.

All traffic entering or exiting a subnet is checked against the NACL rules to determine whether the traffic is allowed in/out of the subnet.

Traffic between instances within the same subnet do not pass through a NACL because the traffic is not exiting the subnet.

NACL rules are executed in a defined order. The first rule that matches the traffic will determine whether the traffic is allowed or denied.

Typically, NACLs are left at their default value of permitting all traffic. You should never have a need to modify a NACL unless you have a specific need, such as:

• Created a DMZ
• Blocking specific types of traffic to all resources (eg blocking ICMP PING)
• Blocking specific IP addresses that are performing DDOS attacks

---

A Route Table is used to direct traffic in/out of a subnet. It contains a number of CIDRs (IP address ranges) and where to direct the appropriate traffic.

For example:

• Traffic for the Internet (0.0.0.0/0) is usually:
  • Sent to an Internet Gateway if the Route Table is associated with a public subnet
  • Sent to a NAT Gateway if the Route Table is associated with a private subnet
• Traffic for a Peered VPC is sent across a VPC Peering connection

It literally routes the traffic to the correct destination.

Want to know what makes a Public Subnet 'public'? It is the fact that the Route Table sends Internet-bound traffic to 0.0.0.0/0.

Traffic is sent to the smallest CIDR range that matches the destination. So, traffic matching 10.1.0.0/16 would be directed before traffic matching 0.0.0.0/0.

Answer 2

In theory, you can define multiple route tables and swap them in and out depending on how you want to control the traffic. However, in practice, it helps if you have general rules (Routes) and then tightening the rules (ACLs) as is necessary. For example:

• In general, you want this house to accept (or redirect) all people that are wearing shirts with green in them. This is accomplished with a route table.
• However, depending on the holiday seasons, you might want to tighten those rules. For example, during Christmas, you only want green shirts that also have red colors in them also. This is done using an ACL.

Thus, you can swap out ACLs as is needed without removing the general rules underneath. ACLs also allow special rules for outbound as well as inbound traffic, so you can allow certain "people" to enter, but forbid them from leaving, for example.

Answer 3

The answers provided here are quite detailed and good. Another way of looking at this would be your home, where you've two robot programme/system called Network ACL and Route Table.

Network ACL

• If someone is coming from my in-laws, DENY/ALLOW entry
• If anyone is leaving my house, DENY/ALLOW entry
• If my friends from Sussex are here, ALLOW/DENY entry
• EVERYONE ELSE is DENIED

Route Table

• WHOEVER wants to BE WITHIN INDOORS will use USUAL ROUTE(s)
• WHOEVER wants to BE IN BACKYARD will use KITCHEN ROUTE
• EVERYONE ELSE need to use MAIN DOOR ROUTE

Difference is that without actually having INGRESS into your house, an entity/individual cannot ROUTE oneself to different destinations. So, you can define lots of ROUTEs, but without having NACL, it's counter-intuitive. However, with only NACL, you can just oversimplify your house routes as ROUTE YOURSELF TO WHICHEVER PLACE AS YOU PLEASE.

I hope it was a good enough oversimplification :)

Answer 4

Network ACL are stateless Firewall Rules for Incoming and Outgoing Packages and filter Network traffic. This is used for security.

Route Tables is routing configuration between your VPCs and Internet and route network traffic. This is used for communication in networks with multiple IP- Ranges (public / private )