- Applies to all new subnets in the VPC until explicitly replaced.
- Permissive by default: allows all inbound and outbound IPv4 traffic.
- State: stateless β return traffic must be explicitly allowed in custom NACLs (but already allowed in default NACL).
- Not recommended for production β better to create a custom NACL with explicit allow/deny rules.
Default Inbound Rules
Rule # | Type | Protocol | Port Range | Source | Action |
100 | All IPv4 Traffic | All | All | 0.0.0.0/0 | ALLOW |
* | All IPv4 Traffic | All | All | 0.0.0.0/0 | DENY |
Default Outbound Rules
Rule # | Type | Protocol | Port Range | Destination | Action |
100 | All IPv4 Traffic | All | All | 0.0.0.0/0 | ALLOW |
* | All IPv4 Traffic | All | All | 0.0.0.0/0 | DENY |
Best Practice
- Leave the default NACL unchanged β itβs useful for troubleshooting and temporary testing.
- For production workloads, create custom NACLs to enforce least privilege.