Last updated on August 5, 2024
| Security Group | Network Access Control List |
| Acts as a firewall for associated Amazon EC2 instances. |
Acts as a firewall for associated subnets. |
| Controls both inbound and outbound traffic at the instance level. |
Controls both inbound and outbound traffic at the subnet level. |
| You can secure your VPC instances using only security groups. |
Network ACLs are an additional layer of defense. |
| Supports allow rules only. |
Supports allow rules and deny rules. |
| Stateful (Return traffic is automatically allowed, regardless of any rules). |
Stateless (Return traffic must be explicitly allowed by rules). |
| Evaluates all rules before deciding whether to allow traffic. |
Evaluates rules in number order when deciding whether to allow traffic, starting with the lowest numbered rule. |
| Applies only to the instance that is associated to it. |
Applies to all instances in the subnet it is associated with. |
| Has separate rules for inbound and outbound traffic. |
Has separate rules for inbound and outbound traffic. |
| A newly created security group denies all inbound traffic by default. | A default NACL allows inbound and outbound traffic by default. |
| A newly created security group has an outbound rule that allows all outbound traffic by default | A custom NACLs deny inbound and outbound traffic by default unless you explicitly add rules to allow traffic. |
| Instances associated with a security group can’t talk to each other unless you add rules allowing it. | Each subnet in your VPC must be associated with a network ACL. If none is associated, the default nACL is selected. |
| Security groups are associated with network interfaces. | You can associate a network ACL with multiple subnets; however, a subnet can be associated with only one network ACL at a time. |
Your VPC has a default security group with the following rules:
- Allow inbound traffic from instances assigned to the same security group.
- Allow all outbound IPv4 traffic and IPv6 traffic if you have allocated an IPv6 CIDR block.
Your VPC has a default network ACL with the following rules:
- Allows all inbound and outbound IPv4 traffic and, if applicable, IPv6 traffic.
- Each network ACL also includes a non modifiable and non removable rule whose rule number is an asterisk. This rule ensures that if a packet doesn’t match any of the other numbered rules, it’s denied.
🚀 AWS PlayCloud Sale – Get 10% OFF ALL PLANS. Use coupon code: TD-PLAYCLOUD-04142025
Learn AWS with our PlayCloud Hands-On Labs
FREE AI and AWS Digital Courses
Tutorials Dojo Exam Study Guide eBooks
FREE AWS, Azure, GCP Practice Test Samplers
Subscribe to our YouTube Channel
Join Data Engineering Pilipinas – Connect, Learn, and Grow!
Follow Us On Linkedin
Written by: Jon Bonso
Jon Bonso is the co-founder of Tutorials Dojo, an EdTech startup and an AWS Digital Training Partner that provides high-quality educational materials in the cloud computing space. He graduated from Mapúa Institute of Technology in 2007 with a bachelor's degree in Information Technology. Jon holds 10 AWS Certifications and is also an active AWS Community Builder since 2020.
