How Network ACLs Filter Subnets

A network ACL (NACL) is a firewall that operates at the subnet boundary. Every packet entering or leaving a subnet is evaluated against the NACL associated with that subnet, regardless of which instance sent or received it. It is the second layer of network defense alongside security groups.

NACL rules are numbered and evaluated in ascending order. AWS checks rule 100 before 200, and the first matching rule wins, stopping evaluation. This ordering is the opposite of security groups, where all rules combine with no priority. Leave gaps (100, 200, 300) so you can insert rules later.