A network access control list (NACL) is a layer of security for your VPC that acts as a virtual firewall for controlling traffic in and out of one or more subnets.
You set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC.
NACL operates on subnets whereas Security Groups work at EC2 level
SGs have only ALLOW rules at EC2 level but NACLs have both ALOW/DENY rules at subnet level.
So you can DENY (block) ip addresses using NACLs at subnet level.
This is not possible thru SGs since SGs only ALLOW at EC2 level.
So if you want to BLOCK IP address then do it in the NACL, not possible with security groups.
NACL rules (IOADC)
rule is either Inbound or Outbound
rule can specify ALLOW or DENY
inbound rule has source CIDR outbound rule has destination CIDR
Only a CIDR will be specified in the source or destination field of an NACL, unlike in a Security Group where sources and destinations can be a CIDR/SG/PrefixList.
When you create a VPC a default NACL is created
Default NACL allows all inbound and outbound traffic.
All subnets created are assigned this default NACL.
We can create new custom NACLs and change the association from default to custom NACL at subnet level.
By default a custom NACL DENYs all inbound and outbound traffic.
Each subnet in your VPC must be associated with a network ACL. If you don’t explicitly associate a subnet with a network ACL, the subnet is automatically associated with the default network ACL.
A subnet can have only one NACL associated at any given time unlike Security Groups, where multiple SGs can be assigned to an EC2 instance.
One NACL can be associated with multiple subnets. For example the default NACL is assigned whenever a new subnet is created.
Rules are evaluated starting with the lowest numbered rule. As soon as a rule matches traffic, it’s applied regardless of any higher-numbered rule that may contradict it. The highest number that you can use for a rule is 32766.
NACLs rules are applied first before applying security group rules.
NACLs are stateless
Example: If you allow HTTP inbound in a NACL, this does not automatically ALLOW HTTP outbound. You need to explicitly ALLOW HTTP outbound as well.
This is different from the security groups, which are stateful. In a SG, Once you allow HTTP inbound (request), the request’s corresponding outbound HTTP (response) is automatically allowed even if there is no such rule created.
Use ephemeral (temporary) ports on outbound rules only