Let's quickly go through some important concepts related to network ACLs:

• When we create a VPC, a default NACL is created by AWS. The value of the Default column will be Yes for the default NACL within the NACL list in our VPC. 
• Default NACL allows all inbound and outbound traffic. However, when we create a new custom NACL, all the inbound and outbound traffic is denied by default.
• Every subnet needs to be associated with one NACL at a time. By default, a subnet is associated with the default NACL. 
• One subnet can only be associated with one NACL at a time. When we associate it with a new NACL, the current association will be removed.
• A single NACL can be associated with multiple subnets.
• NACLs contain a numbered set of rules. These rules are evaluated in the order of the rule numbers. If we have an Allow rule before a Deny rule for the same port, access will be allowed for that port. Similarly, if we have a Deny rule before an Allow rule for the same port, access will be denied for that port. AWS recommends using rule numbers in multiples of 100 initially as that will let us add new rules in between if needed.
• We can block specific IP addresses with NACL, but this is not possible with security groups.
• NACLs are evaluated before security groups.
• Security groups are considered stateful, while NACLs are considered stateless. With a security group, if we send a request from the instance, the response is allowed, irrespective of the inbound rules. Similarly, if we allow an inbound request, then the corresponding outbound response is allowed to go, irrespective of the outbound rules. With NACL, we need to allow both inbound and outbound traffic explicitly for any port.