A security engineer needs to apply network traffic filtering rules at the subnet level rather than the instance level. The solution must be stateless and must explicitly define both inbound and outbound rules, including allowing return traffic. Which AWS feature provides subnet-level stateless traffic control?
NACLs are applied at the subnet level and are stateless — each packet is evaluated against the rules independently. Both inbound and outbound rules must explicitly allow traffic, including return traffic for connections initiated from inside the subnet.
Why this answer
Network Access Control Lists (NACLs) are the correct choice because they operate at the subnet level, are stateless (meaning they do not automatically allow return traffic), and require explicit inbound and outbound rules. This matches the requirement for stateless traffic filtering where both directions must be defined separately, including rules for return traffic.
Exam trap
The trap here is that candidates often confuse security groups (stateful, instance-level) with NACLs (stateless, subnet-level), forgetting that the stateless requirement explicitly demands separate inbound and outbound rules for return traffic.
How to eliminate wrong answers
Option A is wrong because security groups are stateful and operate at the instance level, not the subnet level; they automatically allow return traffic, which violates the stateless requirement. Option C is wrong because AWS WAF is a web application firewall that protects against web exploits at the application layer (HTTP/HTTPS), not a subnet-level network traffic filter. Option D is wrong because VPC route tables control the path of network traffic (routing) between subnets and gateways, not traffic filtering or access control.