Network Access Control List (NACL) is a stateless firewall that controls what network traffic is allowed or denied to enter and leave a subnet. NACLs work on a subnet level and are only associated with the subnets in a VPC. NACL doesn’t interfere in network communication between resources within the subnet. It sits at the boundary of the subnet and allows or denies the network traffic based on the rules configured. We can create an explicit allow or deny rule within an NACL to let or restrict a particular range of addresses from connecting with the subnet.

It is important to note that a subnet can only have one NACL associated with it. However, an NACL can be associated with many subnets.

Default NACL

When we create an Amazon VPC, it comes with a default NACL that allows any IPv4 traffic from anywhere in both inbound and outbound rules. Inbound means the traffic entering the subnet, and outbound means the traffic leaving the subnet. If a subnet is not explicitly associated with a custom NACL, it is automatically associated with the default NACL.

Get hands-on with 1200+ tech skills courses.