<ul>
<li>outline</li>
</ul>
<blockquote>
<p><strong>Compare security groups and network ACLs</strong></p>
</blockquote>
<ul>
<li>comparison</li>
</ul>
<div class="hn-table">
<table>
<thead>
<tr>
<td><strong>Security group</strong></td><td><strong>Network ACL</strong></td></tr>
</thead>
<tbody>
<tr>
<td>Operates at the instance level</td><td>Operates at the subnet level</td></tr>
<tr>
<td>Applies to an instance only if it is associated with the instance</td><td>Applies to all instances deployed in the associated subnet (providing an additional layer of defense if security group rules are too permissive)</td></tr>
<tr>
<td>Supports allow rules only</td><td>Supports allow rules and deny rules</td></tr>
<tr>
<td>Evaluates all rules before deciding whether to allow traffic</td><td>Evaluates rules in order, starting with the lowest numbered rule, when deciding whether to allow traffic</td></tr>
<tr>
<td>Stateful: Return traffic is allowed, regardless of the rules</td><td>Stateless: Return traffic must be explicitly allowed by the rules</td></tr>
</tbody>
</table>
</div><ul>
<li>note</li>
</ul>
<blockquote>
<p>Major differences</p>
<ul>
<li><p>deny rules or not</p>
</li>
<li><p>evaluates rules in order or not</p>
</li>
<li><p>Stateful or Stateless</p>
</li>
</ul>
</blockquote>
<ul>
<li>references</li>
</ul>
<blockquote>
<p><a target="_blank" href="https://docs.aws.amazon.com/ko_kr/vpc/latest/userguide/infrastructure-security.html#VPC_Security_Comparison">https://docs.aws.amazon.com/ko_kr/vpc/latest/userguide/infrastructure-security.html#VPC_Security_Comparison</a></p>
</blockquote>


* outline
    

> **Compare security groups and network ACLs**

* comparison
    

| **Security group** | **Network ACL** |
| --- | --- |
| Operates at the instance level | Operates at the subnet level |
| Applies to an instance only if it is associated with the instance | Applies to all instances deployed in the associated subnet (providing an additional layer of defense if security group rules are too permissive) |
| Supports allow rules only | Supports allow rules and deny rules |
| Evaluates all rules before deciding whether to allow traffic | Evaluates rules in order, starting with the lowest numbered rule, when deciding whether to allow traffic |
| Stateful: Return traffic is allowed, regardless of the rules | Stateless: Return traffic must be explicitly allowed by the rules |

* note
    

> Major differences
> 
> * deny rules or not
>     
> * evaluates rules in order or not
>     
> * Stateful or Stateless
>     

* references
    

> [https://docs.aws.amazon.com/ko\_kr/vpc/latest/userguide/infrastructure-security.html#VPC\_Security\_Comparison](https://docs.aws.amazon.com/ko_kr/vpc/latest/userguide/infrastructure-security.html#VPC_Security_Comparison)

Compare AWS security groups and network ACLs

AWS/AWS Basic

Jesus, Love, Family, Happy Life, Linux, Cloud, SRE, DevOps Engineer, FinOps, System Engineer, Problem Solver


ktg0210

ktg0210

Compare AWS security groups and network ACLs

AWS/AWS Basic

Security group	Network ACL
Operates at the instance level	Operates at the subnet level
Applies to an instance only if it is associated with the instance	Applies to all instances deployed in the associated subnet (providing an additional layer of defense if security group rules are too permissive)
Supports allow rules only	Supports allow rules and deny rules
Evaluates all rules before deciding whether to allow traffic	Evaluates rules in order, starting with the lowest numbered rule, when deciding whether to allow traffic
Stateful: Return traffic is allowed, regardless of the rules	Stateless: Return traffic must be explicitly allowed by the rules