Amazon Web Services (AWS) Network Access Control Lists (NACLs) are a layer of defense that operate at the subnet level and controls traffic in and out of a Virtual Private Cloud (VPC). NACLs are a set of rules that allow or deny traffic based on IP address, protocol, and port number. NACLs are stateless, meaning that they do not track the state of a connection and do not allow traffic based on the response to previous traffic.
NACLs have a numbered list of rules that are applied in order, and the first rule that matches the traffic will be applied. NACLs also have a default rule that denies all traffic, so you need to explicitly allow the traffic that you want to allow.
NACLs are useful for controlling traffic to and from your VPC, and they can be used to secure your VPC by allowing only specific traffic and denying all other traffic. NACLs can also be used to optimize network performance by allowing only the traffic that is necessary and denying unnecessary traffic.
Now you must be thinking that Security Groups also serve a similar service, then what exactly is the difference between NACLs and Security Groups in AWS? Let us peek into the differences now.