Home > Glossary > AWS Certified Cloud Practitioner > Amazon VPC Network Access Control Lists (NACLs)

📖 What is Amazon VPC Network Access Control Lists (NACLs)?

Amazon VPC Network Access Control Lists (NACLs) are an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. Unlike security groups, NACLs are stateless.

🥋 Sensei Says:

"Because NACLs are stateless, you must explicitly define both inbound and outbound rules for traffic to flow successfully."

📚 Certification: AWS Certified Cloud Practitioner (CLF-C02)

🔑 What are the Key Concepts of Amazon VPC Network Access Control Lists (NACLs)?

▸ Stateless nature requires that you explicitly configure both inbound and outbound rules to allow traffic to flow in and out of the subnet.
▸ Operates at the subnet level, meaning all instances within that specific subnet are subject to the same NACL rules for network traffic.
▸ Supports both 'Allow' and 'Deny' rules, providing the ability to explicitly block traffic from specific IP addresses or CIDR ranges.
▸ Rules are processed in numerical order, starting from the lowest number; the first rule that matches the traffic is applied immediately.
▸ Provides a secondary layer of security (defense in depth) that complements Security Groups by filtering traffic before it reaches the instance.

🎯 How does Amazon VPC Network Access Control Lists (NACLs) appear on the CLF-C02 Exam?

You may be asked to identify the best tool for blocking a specific malicious IP address from accessing your entire subnet, where a Security Group cannot be used because it only supports 'Allow' rules.

A scenario might describe a situation where inbound traffic is allowed, but the application fails to respond. You must identify that the NACL's stateless nature requires an outbound rule for return traffic.

Expect questions comparing security layers where you must distinguish between the subnet-level filtering provided by NACLs and the instance-level filtering provided by Security Groups to determine which one to modify.

❓ Frequently Asked Questions

Why would I use a NACL if I already have Security Groups?

NACLs provide an additional layer of security at the subnet boundary. They are particularly useful for blocking specific IP addresses or ranges, which Security Groups cannot do since they only support 'Allow' rules.

What happens if a packet matches multiple rules in a NACL?

NACLs evaluate rules in ascending numerical order. As soon as a packet matches a rule (regardless of whether it is Allow or Deny), that rule is applied and no further rules are checked.

Related Terms from AWS Certified Cloud Practitioner

Amazon SQS AWS Shield Amazon ElastiCache AWS Support Plans Amazon SageMaker AWS PrivateLink

📝 Related Study Guides

Study Guide 8 min read

AWS Cloud Practitioner (CLF-C02): Complete 2026 Study Guide

The AWS Cloud Practitioner CLF-C02 certification validates foundational cloud knowledge across four domains: Cloud Concepts, Security and Compliance, Cloud Technology and Services, and Billing and Pricing. Prepare with a 4-week study plan focusing on core AWS services like EC2, S3, IAM, and Lambda, combined with scenario-based practice questions to build exam confidence.

Study Guide 10 min read

AWS Cloud Practitioner (CLF-C02) Study Guide for 2026

The AWS Cloud Practitioner (CLF-C02) exam validates overall understanding of the AWS Cloud platform. To pass, you must master four domains: Cloud Concepts, Security and Compliance, Technology, and Billing and Pricing. A successful strategy combines official AWS documentation with rigorous practice exams to benchmark your knowledge across all service categories.

Deep Dive 8 min read

AWS Support Plans & Pricing: CLF-C02 Exam Guide

AWS offers four support plans—Basic, Developer, Business, and Enterprise—differing by response time, access to engineers, and the inclusion of a Technical Account Manager (TAM). For the CLF-C02 exam, you must distinguish these tiers and understand pricing models like On-Demand, Reserved, Spot, and Savings Plans to optimize cloud costs.