In the previous section, we looked at ways to connect to your VPC, which included gateways, VPN connections, direct connect, and peering. In this section, we're going to add some additional security to your VPC, by adding network access control lists to our subnets. We're also going to talk more about private subnets, and how administrators can still connect to private instances, by using Bastion instances. In an earlier chapter, we talked about security groups, and how these are like firewalls that protect our instances. An additional type of firewall we can use is network access control lists, or just network ACLs.
While security groups surround our instances, network ACLs allow and deny traffic at the subnet boundary, both inbound and outbound.
Since we already have security groups, it may seem that network ACLs are a bit redundant. However, best practice is to back up critical firewall rules, by including them in both security groups and network ACLs. By default...