Default NACL allows all inbound and outbound traffic.
All subnets created are assigned this default NACL.
We can create new custom NACLs and change the association from default to custom NACL at subnet level.
By default a custom NACL DENYs all inbound and outbound traffic.
A subnet can have only one NACL associated at any given time unlike Security Groups, where multiple SGs can be assigned to an EC2 instance
One NACL can be associated with multiple subnets.
Example: The default NACL is assigned whenever a new subnet is created
Rules are evaluated starting with the lowest numbered rule. As soon as a rule matches traffic, it’s applied regardless of any higher-numbered rule that may contradict it.
NACLs rules are applied first before applying security group rules
NACLs are stateless
Example: If you allow HTTP inbound in a NACL, this does not automatically ALLOW HTTP outbound. You need to explicitly ALLOW HTTP outbound as well.
This is different from the security groups, which are stateful. In a SG, Once you allow HTTP inbound (request), the corresponding outbound HTTP (response) is automatically allowed even if there is no such rule created.
Use ephemeral (temporary) ports on outbound rules only
You can DENY (block) ip addresses using NACLs. This is not possible thru SGs. SGs only ALLOW.