The question asks:
Which of the following would you use to block inbound network traffic from a known IP address range from reaching your VPC subnet?
VPC Flow Log
The ‘correct’ answer is listed as ‘Network ACL’, but I would argue that this is evaluated within the VPC, so at that point the VPC has been reached. According to https://docs.aws.amazon.com/waf/latest/developerguide/web-acl-ip-conditions.html I would argue that the AWS WAF would be the correct answer and that IP addresses can be configured here to be blocked, and thus blocked from reaching the VPC, and blocked from any VPC subnet. Am I reading it wrong?
The question is about VPC Subnet, so focus on subnet, not VPC, so NACL is clearly the correct and only choice.