When you run this template, AWS will create an isolated, secure network just for you. While it contains a number of resources and concepts that will be familiar to network administrators, it's essentially an empty shell, which you can now go ahead and populate.

For example, each VPC contains a virtual router. You can't see it and you can't log into it to perform any special configuration, but you can customize its behavior by modifying the route tables in this template.

The NACLs we've deployed are not stateful and should not be considered a substitution for security groups. NACLs are complementary to security groups, which are stateful and frankly much easier to change and manage than NACLs. While the NACLs in our recipe allow everywhere (0.0.0.0/0) to make inbound connections to port 22, you'll want to use security groups to lock this down to a specific IP range (your corporate data center, for example).