Overview
A network access control list (NACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC.
Key Characteristics
- Stateless: Responses to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa).
- Subnet-level: Rules are applied to all instances in the subnets it's associated with.
- Allow and Deny Rules: You can explicitly allow or deny traffic.
- Numbered Rules: Rules are processed in order, starting with the lowest numbered rule.
Comparison with Security Groups
While security groups operate at the instance level and are stateful, NACLs operate at the subnet level and are stateless.