At what level do network access control lists (network ACLs) provide protection?

Network access control lists (network ACLs) operate at the subnet level within the Amazon Web Services (AWS) environment. They serve as a virtual firewall for controlling inbound and outbound traffic to and from multiple instances. Network ACLs are stateless, meaning they evaluate each packet individually and do not keep track of the traffic flow, allowing you to set separate rules for incoming and outgoing traffic.

By situating network ACLs at the subnet level, they provide a broader range of security for all resources within that subnet. This is especially useful for scenarios where you want a consistent set of controls applied across multiple instances, rather than configuring access controls on each individual instance.

The use of network ACLs can help enhance your security posture by applying and managing rules that can allow or deny traffic based on IP addresses, protocols, and ports, ultimately governing how resources within that subnet interact with both internal and external networks.