How it works...

We can define multiple inbound and outbound rules in an NACL. An NACL can be associated with one or multiple subnets in the VPC. An inbound rule allows or blocks incoming network requests from outside of the subnet to the resources hosted in the subnet. An outbound rule allows or blocks network requests from resources hosted within the subnet to outside of the subnet. Each rule has a number. The rules are evaluated from the rule with the lowest number first and then the rule with the next highest number. However, if a rule allows particular network traffic, other rules are not evaluated. So if a rule with the lowest number allows all traffic, more restrictive rule that would have blocked the traffic will not take effect. An NACL is stateless. This means that, if a network request is allowed by an inbound rule, the response can't go out if the outbound rule does not allow it, and vice versa. It may be preferable to add a DENY rule first where you want to allow a wide range of ports, but there are a few ports in that range which you would need to block.