Each subnet in your VPC must be associated with a network ACL.
Every VPC automatically comes with a default network ACL which by default allows all outbound and inbound traffic.
A network ACL contains a numbered list of rules that are evaluated in order, starting with the lowest numbered rule.
Network ACL’s are stateless which means responses to allowed inbound traffic is subject to the rules for outbound traffic and vice versa
Network ACLs have separate inbound and outbound rules each rule can either allow or deny traffic.