Compare AWS security groups and network ACLs

AWS/AWS Basic

  • outline

Compare security groups and network ACLs

  • comparison
Security groupNetwork ACL
Operates at the instance levelOperates at the subnet level
Applies to an instance only if it is associated with the instanceApplies to all instances deployed in the associated subnet (providing an additional layer of defense if security group rules are too permissive)
Supports allow rules onlySupports allow rules and deny rules
Evaluates all rules before deciding whether to allow trafficEvaluates rules in order, starting with the lowest numbered rule, when deciding whether to allow traffic
Stateful: Return traffic is allowed, regardless of the rulesStateless: Return traffic must be explicitly allowed by the rules
  • note

Major differences

  • deny rules or not

  • evaluates rules in order or not

  • Stateful or Stateless

  • references

https://docs.aws.amazon.com/ko_kr/vpc/latest/userguide/infrastructure-security.html#VPC_Security_Comparison