VPC by default has one ACL (Network) and it allows all inbound and outbound traffic.
You can create a custom network ACL, by default custom network blocks all inbound and outbound traffics, until we add the rules.
Each subnet in VPC is associated with the ACL, if we don’t associate a subnet with network ACL, the subnet will automatically have associated with the default network ACL.
You can associate a network ACL with multiple subnets, however, a subnet can be associated with only one network ACL at a time, when you associate a network ACL with a subnet, the previous association is removed.
a network ACL contains a numbered list of rules that are evaluated in order, starting with the lowest numbered rule.
ACL has separate inbound and outbound rules, each rule can either allow or deny traffic.
Network ACLs are stateless, responses to allowed inbound traffic are subjected to the rules for outbound traffic and vice versa.
Note – Ephemeral rules, as why we cannot browse the application even when we have the inbound and outbound traffic is enabled for port 80/143
The rule works based on hierarchy like 100 will be executed prior to 110. That is just a number preference set for the rule.