- outline
Compare security groups and network ACLs
- comparison
Security group | Network ACL |
Operates at the instance level | Operates at the subnet level |
Applies to an instance only if it is associated with the instance | Applies to all instances deployed in the associated subnet (providing an additional layer of defense if security group rules are too permissive) |
Supports allow rules only | Supports allow rules and deny rules |
Evaluates all rules before deciding whether to allow traffic | Evaluates rules in order, starting with the lowest numbered rule, when deciding whether to allow traffic |
Stateful: Return traffic is allowed, regardless of the rules | Stateless: Return traffic must be explicitly allowed by the rules |
- note
Major differences
deny rules or not
evaluates rules in order or not
Stateful or Stateless
- references