Which AWS tool acts as a firewall to control traffic in and out of subnets within a VPC?

Explanations:

Security groups are stateful firewalls that control inbound and outbound traffic to AWS resources, but they operate at the instance level rather than at the subnet level.

Route tables determine how traffic is directed within a VPC but do not function as firewalls or control access to subnets.

VPC endpoints enable private connections to AWS services without using an Internet Gateway or NAT device, but they do not control traffic flow like a firewall.

Network access control lists (ACLs) are stateless firewalls that control inbound and outbound traffic at the subnet level in a VPC, making them suitable for controlling traffic to and from subnets.