NACLs

Network Access Control Lists are stateless packet filters applied at the subnet boundary in cloud Virtual Private Clouds that control inbound and outbound traffic based on protocol, port ranges, and IP CIDR ranges. Unlike security groups (stateful, instance-level), NACLs evaluate each packet independently and process rules in order.

NACLs provide a defense-in-depth layer for blocking known malicious IP ranges and restricting traffic flows between subnets that security groups cannot enforce.