What does a Network ACL control in an AWS VPC?

A Network Access Control List (ACL) in an AWS Virtual Private Cloud (VPC) is designed to control the flow of traffic in and out of one or more subnets. It operates at the subnet level and provides a layer of security by allowing or denying traffic based on specified rules.

This means you can define which IP addresses and protocols can enter or exit the subnet, giving you a robust mechanism to enforce security and control network access. Unlike security groups, which are associated with individual instances, Network ACLs are applied to the entire subnet, thus affecting all resources within that subnet.

This broad control over inbound and outbound traffic makes it suitable for managing access for multiple resources, rather than being limited to specific instances or connections. This characteristic is essential when scaling applications or managing multiple instances that share the same subnet. In this way, Network ACLs ensure that you can secure your infrastructure comprehensively at the subnet level.