Publicly-routable IP addresses don't get rewritten when they pass through the NAT instance.
You'll need to leave the entire public Internet address space as permissible on the private subnet in the network ACLs. If the private subnet lacks an Internet gateway and its default route points to the NAT instance, public Internet addresses will only arrive indirectly via the NAT instance.
VPC network ACLs are useful to limit access between instances inside a VPC, but their stateless nature makes them cumbersome for the type of configuration you describe: it doesn't keep track of a connection that matched an allowed outbound rule to permit the corresponding inbound traffic, so you're forced to approximate by allowing ephemeral port ranges for inbound traffic.
A more flexible approach is to use a combination of VPC routing, the absence of an Internet gateway on the private subnet, and a good iptables configuration in the NAT instance to control traffic to and from publicly routable IP space, while leaving the network ACL for private subnet instances permissive-by-default with respect to publicly routable IP space. In such an environment, placement in the private subnet is sufficient to protect instances from any outside traffic the NAT instance does not pass.
It's request count based for HTTP(S), round robin for other.
http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/TerminologyandKeyConcepts.html#request-routing
Before a client sends a request to your load balancer, it first
resolves the load balancer's domain name with the Domain Name System
(DNS) servers. The DNS server uses DNS round robin to determine which
load balancer node in a specific Availability Zone will receive the
request.
The selected load balancer node then sends the request to healthy
instances within the same Availability Zone. To determine the healthy
instances, the load balancer node uses either the round robin (for TCP
connections) or the least outstanding request (for HTTP/HTTPS
connections) routing algorithm. The least outstanding request routing
algorithm favors back-end instances with the fewest connections or
outstanding requests.
Best Answer
Load balancers need subnets to run, you can set up NACL's at the subnet level for each subnet that ELB is provisioned with. But if you're already using AWS WAF in front of your ALB why do you need to setup NACL at that level? If you're using Cloudfront in front of the ALB's you can setup your ALB security groups to only be accessabile from Cloudfront IP address ranges using this aws labs code
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html