Yes, you can have an NACL without any subnets associate with it, but the NACL will not have an effect on any subnets in that case. The NACL is a resource that defines behaviors (network rules), and the subnet is a piece of the network that those rules apply to. It wouldn't make much sense to create an NACL without the intention to define a subnet, but you might create two different NACLs, and switch them on and off of the same subnet while you're testing network security, for example. You can also store multiple NACLs without applying them in case you want to create a new rule but want to easily revert back to the previous one (by applying it again). In short, NACLs provide a way to organize and manage network rules, as well as define the rules themselves. Hope that helps!