feat(vpc): continue nacl doc

Author: RoRoJ

faq/vpc.mdx

@@ -38,4 +38,12 @@ Nonetheless, you can also reserve specific IPs from a Private Network's CIDR blo
 
 ## How can I manage IP addresses for my Proxmox Virtual Machines (VMs) on Elastic Metal servers?
 
-We recommend that you use our IPAM product for this purpose. See [how to reserve a private IP address with an attached MAC address](/ipam/how-to/reserve-ip/#how-to-reserve-a-private-ip-address-with-an-attached-mac-address).
+We recommend that you use our IPAM product for this purpose. See [how to reserve a private IP address with an attached MAC address](/ipam/how-to/reserve-ip/#how-to-reserve-a-private-ip-address-with-an-attached-mac-address).
+
+## Can I control traffic flow between my VPC's Private Networks?
+
+Yes, use the [Network ACL feature](/vpc/how-to/manage-nacl) to filter packets flowing between the different Private Networks of your VPC. By default all traffic is allowed to pass, until you start to add rules to the VPC's NACL.
+
+## How are NACLs different to security groups?
+
+[Security groups](/instances/how-to/use-security-groups/) filter **public** traffic on your Instances, whereas NACLs filter traffic to/from Private Networks only.

pages/vpc/quickstart.mdx

@@ -115,6 +115,10 @@ When your route table starts to populate, it will look something like this:
 
 For help with understanding the route table and how to read it, refer to our documentation about route tables.
 
+## How to manage your NACL
+
+Each VPC has its own Network **A**ccess **C**ontrol **L**ist. This is composed of stateless rules to control the flow of traffic between Private Networks. By default, the list contains no rules and therefore traffic is allowed to flow unrestrictedly between the VPC's Private Networks. [Add rules](/vpc/how-to/manage-nacl/) to the list to start creating restrictions.
+
 ## How to delete a Private Network
 
 You must [detach](/vpc/how-to/attach-resources-to-pn/#how-to-detach-a-resource-from-a-private-network) all resources from the Private Network before you can delete it. 

pages/vpc/reference-content/assets/scaleway-nacl-diag-detail.webp

@@ -0,0 +1,78 @@
+---
+meta:
+  title: Understanding Network ACLs
+  description: Learn how to Network Access Control Lists (NACL) filter inbound and outbound traffic bewteen the different Private Networks of your VPC. Understand concepts, best practices, and key use cases.
+content:
+  h1: Understanding Network ACLs
+  paragraph: ELearn how to Network Access Control Lists (NACL) filter inbound and outbound traffic bewteen the different Private Networks of your VPC. Understand concepts, best practices, and key use cases.
+tags: vpc nacl network-access-control-list default-rule stateless inbound outbound port
+dates:
+  validation: 2025-02-07
+  posted: 2025-02-07
+categories:
+  - network
+---
+
+Every VPC has a Network **A**ccess **C**ontrol **L**ist (NACL). This list is composed of stateless rules to control the flow of traffic between the Private Networks fo the VPC. By default, at first the list contains no rules and therefore traffic is allowed to flow unrestrictedly.
+
+This document sets out general information and best practices about Scaleway VPC NACLs.
+
+- For instructions on managing NACLs via the Scaleway console, see [How to manage Network ACLs](/vpc/how-to/manage-nacl/)
+- To manage NACLs via the Scaleway API, see the [VPC API doumentation](https://www.scaleway.com/en/developers/api/vpc/)
+- For other interfaces, see the documentation of the [relevant developer tool](https://www.scaleway.com/en/developers/)
+
+## Network ACL overview
+
+Every Scaleway VPC has a Network ACL. In its initial state, it contains no rules and allows all traffic to flow freely between the Private Networks of the VPC.
+
+When you start adding rules to your NACL, traffic flow is restricted between certain sources and destinations within the VPC, according to the rules you set. A default rule is added to the NACL, which dictates the action to take on traffic that does not match of the rules in the list: it can either be **allowed** or **denied**.
+
+<Lightbox src="scaleway-nacl-diag-simple.webp" alt="A schema shows how the NACL sits at the intersection of two Private Networks in a Scaleway VPC" />
+
+NACL rules are stateless, meaning that the state of connections is not tracked, and return traffic is not automatically allowed, just because the outbound request was allowed. Explicit rules are required for each direction of traffic.
+
+NACLs only control traffic as it enters or exits the Private Network(s) of a VPC. They do not:
+- Filter traffic between resources attached to the same Private Network
+- Filter traffic from/to the public internet (for this, use [security groups](/instances/how-to/use-security-groups/) for Instances, or equivalent features for [other resource types](/ipam/reference-content/)).
+
+The diagram below shows how a NACL blocks an Instance on Private Network A from sending any traffic to any resources on Private B. The Instance's attempt to send a packet (in green) is denied.
+
+However, an Instance on Private Network B is able to send a packet to an Instance on Private Network A, because no specific rules deny it from doing so, and the default rule is set to allow.
+
+<Lightbox src="scaleway-nacl-diag-detail.webp" alt="A schema shows how the NACL sits at the intersection of two Private Networks in a Scaleway VPC. Packets attempt to travel between Private Networks, and are either allowed or denied according to NACL rules" />
+
+## NACL rule configuration
+
+When defining an NACL rule, you must enter the following settings:
+
+- **IP version**: Either IPv4 or IPv6. The rule will apply only to traffic matching this IP version, meaning that in effect, each VPC has two NACLs: one for IPv4 and one for IPv6. If you want to create an equivalent rule for the other IP version, you must do so separately.
+
+- **Protocol**: Either `TCP`, `UDP` or `ICMP`. The rule will apply only to traffic matching this protocol. Alternatively, you can choose `All` if you want it to apply to traffic matching any protocol.
+
+- **Source** and **destination**: The rule will apply to traffic originating from this source and being sent to this destination. For both, enter an IP range range in [CIDR format](/vpc/concepts/#cidr-block), and a port or port range. Alternatively, you can opt for the rule to apply to**All IPs** and/or **All ports**.
+    
+- **Action**: The NACL will either **Allow** or *Deny** traffic that matches the rule, to to proceed to its destination.
+
+## Rule priority and application
+
+The Network Access Control List should be read from top to bottom. Rules closer to the top of the list are applied first. If traffic matches a rule for an **Allow** or **Deny** action, the action is applied immediately. That traffic is not then subject to any further filtering or any further actions by any rules that follow. 
+
+## Statelessness
+
+**NACL rules are stateless**. This means the state of connections is not tracked, and inbound and outbound traffic is filtered separately. Return traffic is not automatically allowed, just because the outbound request was allowed. Explicit rules are required for each direction of traffic.
+
+Therefore, if you create a rule to allow traffic in one direction, you may also need a separate rule to allow the response in the opposite direction. There is a functionality to auto-generate matching inverse rules for this purpose when creating a new rule.
+
+TODO: example of how traffic that is allowed to one destination won't be llowed to return without correct rule
+
+## Default rule
+
+Each NACL must have a default rule, which is automatically at the bottom of the list of rules. You can choose whether the rule has an action of **Allow** or **Deny**. The default rule applies this action to all traffic that did not match any other rules in the list.
+
+TODO: examples of how default rule works as either allow or deny (see https://docs.aws.amazon.com/vpc/latest/userguide/default-network-acl.html )
+
+
+TODO:
+- Ephemeral ports?
+- Examples
+- Best practices (see https://docs.aws.amazon.com/vpc/latest/userguide/vpc-security-best-practices.html)