B . The default network ACL is configured to allow all traffic. This means that when you create a VPC,

AWS automatically creates a default network ACL for that VPC, and associates it with all the subnets

in the VPC1. By default, the default network ACL allows all inbound and outbound IPv4 traffic and, if

applicable, IPv6 traffic1. You can modify the default network ACL, but you cannot delete it1. C.

Network ACLs are stateless, and inbound and outbound rules are used for traffic filtering. This means

that network ACLs do not keep track of the traffic that they allow or deny, and they evaluate each

packet separately1. Therefore, you need to create both inbound and outbound rules for each type of

traffic that you want to allow or deny1. For example, if you want to allow SSH traffic from a specific IP

address to your subnet, you need to create an inbound rule to allow TCP port 22 from that IP

address, and an outbound rule to allow TCP port 1024-65535 (the ephemeral ports) to that IP

address2.

The other options are incorrect because:

You can use network ACL and security group at the same time. Network ACL and security group are

two different types of security layers for your VPC that can work together to control traffic3. Network

ACL acts as a firewall for your subnets, while security group acts as a firewall for your instances3. You

can use both of them to create a more granular and effective security policy for your VPC.

Network ACLs are not tied to an instance. Network ACLs are associated with subnets, not

instances1. This means that network ACLs apply to all the instances in the subnets that they are

associated with1. You cannot associate a network ACL with a specific instance. However, you can

associate a security group with a specific instance or multiple instances3.