A
VPC is an isolated virtual network in the cloud — with its own subnets, routing, security groups (stateful firewalls), and NACLs (stateless ACLs). Foundation of cloud network security.
Security groups = stateful (track connections), applied to instances. NACLs = stateless (apply rules in order), applied to subnets. Default security group allows all outbound — restrict egress to principle of least privilege.