NACL is a firewall at the subnet level. It controls what traffic is allowed in and out of an entire subnet.

• Every subnet gets a Default NACL automatically
• One NACL per subnet
• Best use case: blocking a specific IP at the subnet level (Security Groups can't do this)

How NACL Rules Work

• Each rule has a number (1–32766) — lower number = higher priority
• Rules are evaluated in order — first match wins, rest are ignored
• The last rule is always DENY everything (catch-all)
• AWS recommends numbering rules in increments of 100 (100, 200, 300...) so you can insert rules later

Example:

Rule #100 → ALLOW 10.0.0.10/32
Rule #200 → DENY  10.0.0.10/32  ← never reached

The IP is allowed because rule #100 matches first.

Default NACL vs Custom NACL

Stateful vs Stateless — Most Important Concept

Stateful (Security Group): You allow inbound traffic → the reply automatically goes out. No separate outbound rule needed.