What it is: A stateless firewall that controls traffic at the subnet level.

What it’s for:

• Add an extra layer of subnet-level allow/deny rules.
• Block specific IP ranges broadly (when needed).

Key ideas:

• Stateless: you must allow both inbound and outbound for return traffic.
• Supports both allow and deny rules.
• Rules are evaluated in order (by rule number).

Exam cues:

• “block a specific IP range at subnet level” → NACL deny rule.
• “need explicit deny” → NACL (not SG).

Hard words:

• *stateless* /ˈsteɪtləs/: không trạng thái
• *evaluated* /ɪˈvæljueɪtɪd/: được đánh giá/duyệt
• *explicit deny* /ɪkˈsplɪsɪt dɪˈnaɪ/: từ chối tường minh