Last updated on August 5, 2024
Security Group | Network Access Control List |
Acts as a firewall for associated Amazon EC2 instances. |
Acts as a firewall for associated subnets. |
Controls both inbound and outbound traffic at the instance level. |
Controls both inbound and outbound traffic at the subnet level. |
You can secure your VPC instances using only security groups. |
Network ACLs are an additional layer of defense. |
Supports allow rules only. |
Supports allow rules and deny rules. |
Stateful (Return traffic is automatically allowed, regardless of any rules). |
Stateless (Return traffic must be explicitly allowed by rules). |
Evaluates all rules before deciding whether to allow traffic. |
Evaluates rules in number order when deciding whether to allow traffic, starting with the lowest numbered rule. |
Applies only to the instance that is associated to it. |
Applies to all instances in the subnet it is associated with. |
Has separate rules for inbound and outbound traffic. |
Has separate rules for inbound and outbound traffic. |
A newly created security group denies all inbound traffic by default. | A default NACL allows inbound and outbound traffic by default. |
A newly created security group has an outbound rule that allows all outbound traffic by default | A custom NACLs deny inbound and outbound traffic by default unless you explicitly add rules to allow traffic. |
Instances associated with a security group can’t talk to each other unless you add rules allowing it. | Each subnet in your VPC must be associated with a network ACL. If none is associated, the default nACL is selected. |
Security groups are associated with network interfaces. | You can associate a network ACL with multiple subnets; however, a subnet can be associated with only one network ACL at a time. |
Your VPC has a default security group with the following rules:
- Allow inbound traffic from instances assigned to the same security group.
- Allow all outbound IPv4 traffic and IPv6 traffic if you have allocated an IPv6 CIDR block.
Your VPC has a default network ACL with the following rules:
- Allows all inbound and outbound IPv4 traffic and, if applicable, IPv6 traffic.
- Each network ACL also includes a non modifiable and non removable rule whose rule number is an asterisk. This rule ensures that if a packet doesn’t match any of the other numbered rules, it’s denied.
AWS, Azure, and GCP Certifications are consistently among the top-paying IT certifications in the world, considering that most companies have now shifted to the cloud. Earn over $150,000 per year with an AWS, Azure, or GCP certification!
Follow us on LinkedIn, YouTube, Facebook, or join our Slack study group. More importantly, answer as many practice exams as you can to help increase your chances of passing your certification exams on your first try!
View Our AWS, Azure, and GCP Exam Reviewers Check out our FREE courses