Architecture Overview
In a multi-AZ VPC with multiple subnets per tier:
- Public (Web) Subnets
- Web Subnet A (AZ-A)
- Web Subnet B (AZ-B)
- Private (DB) Subnets
- DB Subnet A (AZ-A)
- DB Subnet B (AZ-B)
The Web Tier spans the public subnets, and the Database Tier spans the private subnets.
Each AZ contains its own database instance.
NACL Configuration Guidelines
Because NACLs are stateless, you must create explicit rules for:
- Each destination subnet's CIDR (not just the tier’s overall range)
- Both directions (inbound and outbound) for return traffic
Example:
If Web Subnet A must talk to DB Subnet B:
- Web-NACL: Allow outbound to DB Subnet B CIDR on the DB port, and inbound from DB Subnet B CIDR on the ephemeral port range.
- DB-NACL: Allow inbound from Web Subnet A CIDR on the DB port, and outbound to Web Subnet A CIDR on the ephemeral port range.
Best Practice
- Apply Web-NACL to all public web subnets.
- Apply DB-NACL to all private database subnets.
- Duplicate rules for each subnet CIDR across AZs to ensure cross-AZ tier communication works.
- Keep inbound/outbound rules symmetric for predictable behavior.