Security Group vs NACL

Home » AWS Cheat Sheets » AWS Comparison of Services » Security Group vs NACL

Security Group vs NACL

Last updated on January 25, 2024

Security Group Network Access Control List
Acts as a firewall for associated Amazon EC2 instances.

Acts as a firewall for associated subnets.

Controls both inbound and outbound traffic at the instance level.

Controls both inbound and outbound traffic at the subnet level.

You can secure your VPC instances using only security groups.

Network ACLs are an additional layer of defense.

Supports allow rules only.

Supports allow rules and deny rules.

Stateful (Return traffic is automatically allowed, regardless of any rules).

Stateless (Return traffic must be explicitly allowed by rules).

Evaluates all rules before deciding whether to allow traffic.

Evaluates rules in number order when deciding whether to allow traffic, starting with the lowest numbered rule.

Applies only to the instance that is associated to it.

Applies to all instances in the subnet it is associated with.

Has separate rules for inbound and outbound traffic.

Has separate rules for inbound and outbound traffic.

A newly created security group denies all inbound traffic by default. A newly created nACL denies all inbound traffic by default.
A newly created security group has an outbound rule that allows all outbound traffic by default A newly created nACL denies all outbound traffic by default.
Instances associated with a security group can’t talk to each other unless you add rules allowing it. Each subnet in your VPC must be associated with a network ACL. If none is associated, the default nACL is selected.
Security groups are associated with network interfaces. You can associate a network ACL with multiple subnets; however, a subnet can be associated with only one network ACL at a time.

Your VPC has a default security group with the following rules:

  1. Allow inbound traffic from instances assigned to the same security group.
  2. Allow all outbound IPv4 traffic and IPv6 traffic if you have allocated an IPv6 CIDR block.
Tutorials dojo strip

Your VPC has a default network ACL with the following rules:

  1. Allows all inbound and outbound IPv4 traffic and, if applicable, IPv6 traffic.
  2. Each network ACL also includes a non modifiable and non removable rule whose rule number is an asterisk. This rule ensures that if a packet doesn’t match any of the other numbered rules, it’s denied.

Tutorials Dojo portal

Be Inspired and Mentored with Cloud Career Journeys!

Tutorials Dojo portal

Enroll Now – Our Azure Certification Exam Reviewers

azure reviewers tutorials dojo

Enroll Now – Our Google Cloud Certification Exam Reviewers

Tutorials Dojo Exam Study Guide eBooks

tutorials dojo study guide eBook

FREE AWS Exam Readiness Digital Courses

Subscribe to our YouTube Channel

Tutorials Dojo YouTube Channel

FREE Intro to Cloud Computing for Beginners

FREE AWS, Azure, GCP Practice Test Samplers

Recent Posts

Written by: Jon Bonso

Jon Bonso is the co-founder of Tutorials Dojo, an EdTech startup and an AWS Digital Training Partner that provides high-quality educational materials in the cloud computing space. He graduated from Mapúa Institute of Technology in 2007 with a bachelor's degree in Information Technology. Jon holds 10 AWS Certifications and is also an active AWS Community Builder since 2020.

AWS, Azure, and GCP Certifications are consistently among the top-paying IT certifications in the world, considering that most companies have now shifted to the cloud. Earn over $150,000 per year with an AWS, Azure, or GCP certification!

Follow us on LinkedIn, YouTube, Facebook, or join our Slack study group. More importantly, answer as many practice exams as you can to help increase your chances of passing your certification exams on your first try!

View Our AWS, Azure, and GCP Exam Reviewers Check out our FREE courses

Our Community

~98%
passing rate
Around 95-98% of our students pass the AWS Certification exams after training with our courses.
200k+
students
Over 200k enrollees choose Tutorials Dojo in preparing for their AWS Certification exams.
~4.8
ratings
Our courses are highly rated by our enrollees from all over the world.

What our students say about us?