A network access control list (ACL) is an optional layer of security that acts as a firewall for controllingtraffic in and out of a subnet. You might set up network ACLs with rules similar to your securitygroups in order to add an additional layer of security to your VPC. The following ports are recommended by AWS for a single subnet with instances that can receive andsend Internet traffic and a private subnet that can't receive traffic directly from the Internet.However, it can initiate traffic to the Internet (and receive responses) through a NAT instance in thepublic subnet. Inbound SSH traffic. Port 22Web servers in the public subnet to read and write to MS SQL servers inthe private subnet. Port 1433 Inbound RDP traffic from the Microsoft Terminal Services gateway inthe public private subnet. Port 3389. Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Appendix_NACLs.html#VPC_Appendi x_NACLs_Scenario_2