Which AWS tool or feature acts as a VPC firewall at the subnet level?

Explanations:

Security groups act as virtual firewalls for EC2 instances at the instance level, not the subnet level.

Network ACLs (Access Control Lists) operate at the subnet level and control inbound and outbound traffic for subnets.

Traffic Mirroring is used to capture and inspect network traffic, not to control access or act as a firewall.

An Internet gateway is used to allow communication between instances in a VPC and the internet; it is not a firewall.