====== Network ACL (NACL) ======

**What it is:** A stateless firewall that controls traffic at the subnet level.

**What it’s for:**
  * Add an extra layer of subnet-level allow/deny rules.
  * Block specific IP ranges broadly (when needed).

**Key ideas:**
  * **Stateless**: you must allow both inbound and outbound for return traffic.
  * Supports both **allow** and **deny** rules.
  * Rules are evaluated in order (by rule number).

**Exam cues:**
  * “block a specific IP range at subnet level” → NACL deny rule.
  * “need explicit deny” → NACL (not SG).

**Hard words:**
  * *stateless* /ˈsteɪtləs/: không trạng thái
  * *evaluated* /ɪˈvæljueɪtɪd/: được đánh giá/duyệt
  * *explicit deny* /ɪkˈsplɪsɪt dɪˈnaɪ/: từ chối tường minh