Network Access Control Lists

• A network access control list (ACL) is an optional security layer for your VPC.

• It acts as a firewall that controls inbound and outbound traffic for one or more subnets.

---

⚙️ Key Features

• Subnet-Level Control:

  • Unlike security groups (which apply to ENIs), network ACLs apply to subnets, affecting all traffic entering and leaving the subnet.

• Stateless:

  • Each request and response are checked separately. If inbound traffic is allowed, the outbound traffic must also be allowed explicitly (and vice versa).

• Additional Layer of Security:

  • Often used in conjunction with security groups to provide a second layer of traffic filtering and improve network security.

---

🧠 Quick Summary

Feature	Description
Purpose	Provide an additional firewall at the subnet level
Applied To	Subnets, controlling traffic for all instances within
Stateful/Stateless	Stateless: Inbound and outbound traffic must be managed separately

Default NACL

Custom NACL

• An optional security layer in your VPC.

• Acts as a stateless firewall for controlling inbound and outbound traffic at the subnet level.

---

🧱 How It Works

• Applies to one or more subnets in a VPC.

• Controls traffic entering and leaving subnets, based on defined rules.

• Rules can allow or deny traffic based on:

  • Protocol

  • Port range

  • Source/Destination IP

---

🔁 Key Characteristics

• Stateless: Return traffic must be explicitly allowed.

• Rule order matters: Rules are evaluated in order, starting from the lowest number.

• Can be used to complement security groups (which are stateful).

---

🧠 Quick Summary

Feature	Description
Purpose	Firewall at the subnet level
Type	Stateless (both inbound & outbound rules needed)
Rule Evaluation	Evaluated in number order (lowest first)
Use Case	Add an extra layer of security beyond security groups
Allows/Deny Traffic	Yes, both (unlike security groups which only allow)