The Network Access Control List (NACL) sits outside the subnet and acts as a firewall. It functions at the subnet level and is an optional layer of security. NACL supports the ALLOW and DENY rules for the traffic travelling into or out of the subnet. Every time you create a new VPC, AWS creates a default NACL for you and associates it with the VPC. By default, all the inbound and outbound traffic is allowed on the subnet. The default inbound rule looks something like this:
And outbound rules are also similar to inbound rules, which allow all the traffic to flow from and to the subnet.
NACL is stateless. This means that the return traffic must be allowed through the outbound rule. It processes rules in the order of the number when deciding whether to allow the traffic. Rule# mentioned as * is called the catch all deny rule. This means that unless the protocol...