NACLs are virtual network-level firewalls that are associated with each and every subnet within your VPC and control ingress and egress traffic moving in and out of your subnet. Much like route tables, a default VPC NACL will be created when your VPC is also created. As a result, for any subnet that does not have an explicit NACL associated with it, this default NACL will be used.
For each NACL, there are two fundamental components: inbound rules and outbound rules. These rules control what traffic flows in and out of your subnet at a network level. NACLs are stateless, meaning that any response traffic generated from a request will have to be explicitly allowed and configured in either the inbound or outbound ruleset depending on where the response is coming from.
Let's look at the configuration of an NACL to explain how they work.