Similar to security groups, Network Access Control Lists (NACLs) also control network traffic, but this time at the network level. NACLs work at the subnet level and control the flow of network traffic in and out of the subnet. Unlike security groups, NACLs are stateless, meaning you have to add explicit response rules for network traffic. When using NACLs in conjunction with security groups, they can be an effective barrier against intrusion. As NACLs operate at the subnet level, you can block restricted traffic to a whole subnet with ease.