The second layer of defense is our network ACLs. These are stateless network control mechanisms where each rule will have the ability to allow or deny traffic in exactly one direction. An ACL can be used to define strict rules on network access and provide protection at the network level. There are default, modifiable network ACLs in each VPC we create that are designed to allow all incoming and outgoing traffic to the network. In a similar way to how we assign security groups to instances, we can assign network ACLs to our VPCs. We can define multiple ACLs within our VPC; however, a subnet in a VPC can only be assigned one network ACL at a time. ACLs can be used to control traffic between subnets within one VPC as all traffic is initially allowed between subnets. Also, ACLs can be used when a certain set of IP addresses needs to be prevented from accessing our networks; for example, if we need to block certain geographies or a certain set of IPs that have been determined to be malicious.

The following diagram shows how security groups and network ACLs apply within a VPC: