Network Access Control List

When VPC was created, default NACL was created too.
All new subnets are associated to DEFAULT” NACL, if you have custom NACL you have to manually changed the association.
By default new NACL denies all inbound and outbound traffic until you add rules.
NACLs can have multiple Subnets, but a Subnet can be associated to only one NACL
Inbound rules in NACLs are evaluated in chonologial order ie. 100 then 200, and so on. it is recomended to name your rules “increment 100s”
NACLs are evaluated before Security Groups
ephemeral ports

A NAT gateway uses ports 1024-65535.
to block IP Addresses, use NACL not Security Groups
NACLs are stateless; you have to explicitly allow/deny inbound and outbound rules