Last updated on August 5, 2024
| Security Group | Network Access Control List |
| Acts as a firewall for associated Amazon EC2 instances. |
Acts as a firewall for associated subnets. |
| Controls both inbound and outbound traffic at the instance level. |
Controls both inbound and outbound traffic at the subnet level. |
| You can secure your VPC instances using only security groups. |
Network ACLs are an additional layer of defense. |
| Supports allow rules only. |
Supports allow rules and deny rules. |
| Stateful (Return traffic is automatically allowed, regardless of any rules). |
Stateless (Return traffic must be explicitly allowed by rules). |
| Evaluates all rules before deciding whether to allow traffic. |
Evaluates rules in number order when deciding whether to allow traffic, starting with the lowest numbered rule. |
| Applies only to the instance that is associated to it. |
Applies to all instances in the subnet it is associated with. |
| Has separate rules for inbound and outbound traffic. |
Has separate rules for inbound and outbound traffic. |
| A newly created security group denies all inbound traffic by default. | A default NACL allows inbound and outbound traffic by default. |
| A newly created security group has an outbound rule that allows all outbound traffic by default | A custom NACLs deny inbound and outbound traffic by default unless you explicitly add rules to allow traffic. |
| Instances associated with a security group can’t talk to each other unless you add rules allowing it. | Each subnet in your VPC must be associated with a network ACL. If none is associated, the default nACL is selected. |
| Security groups are associated with network interfaces. | You can associate a network ACL with multiple subnets; however, a subnet can be associated with only one network ACL at a time. |
Your VPC has a default security group with the following rules:
- Allow inbound traffic from instances assigned to the same security group.
- Allow all outbound IPv4 traffic and IPv6 traffic if you have allocated an IPv6 CIDR block.
Your VPC has a default network ACL with the following rules:
- Allows all inbound and outbound IPv4 traffic and, if applicable, IPv6 traffic.
- Each network ACL also includes a non modifiable and non removable rule whose rule number is an asterisk. This rule ensures that if a packet doesn’t match any of the other numbered rules, it’s denied.
Get any AWS Specialty Mock Test for FREE when you Buy 2 AWS Pro-Level Practice Tests – as LOW as $10.49 USD each ONLY!
Learn AWS with our PlayCloud Hands-On Labs
Tutorials Dojo Exam Study Guide eBooks
FREE AWS Exam Readiness Digital Courses
Subscribe to our YouTube Channel
FREE AWS, Azure, GCP Practice Test Samplers
Follow Us On Linkedin
Written by: Jon Bonso
Jon Bonso is the co-founder of Tutorials Dojo, an EdTech startup and an AWS Digital Training Partner that provides high-quality educational materials in the cloud computing space. He graduated from Mapúa Institute of Technology in 2007 with a bachelor's degree in Information Technology. Jon holds 10 AWS Certifications and is also an active AWS Community Builder since 2020.
