A Network ACL is a virtual firewall that controls inbound and outbound traffic at the subnet level
.md/png-20250804113704827.png)
Default behavior
Your account’s default network ACL allows all inbound and outbound traffic, but you can modify it by adding your own rules.
Default vs Custom Network ACL
All are welcome by default.md/png-20250804113950662.png)
All are denied by default until you add rules to specify which traffic to allow..md/png-20250804114004597.png)
NACL: Stateless - Remember Nothing
Network ACLs perform stateless packet filtering, which means they remember nothing and checks packets that cross the subnet border each way: inbound or outbound.
Metaphor: Imagine you are in an airport to enter into a different country. You can think of the travelers as packets and the passport control officer as a network ACL. The passport control officer checks travelers’ credentials when they are both entering and exiting out of the country. If a traveler is on an approved list, they are able to get through. Otherwise, they cannot leave or enter into another country.