What is the difference between an AWS Security Group and a Network ACL?

Medium Topic: AWS May 24, 2026

Security Groups (SGs): Stateful firewalls at the instance level. If you allow inbound traffic, the corresponding outbound response is automatically allowed. Rules are allow-only (no deny rules).

Network ACLs (NACLs): Stateless firewalls at the subnet level. You must explicitly allow both inbound and outbound traffic. Rules are evaluated in order (by rule number) and support both allow and deny.

In practice: Use Security Groups for most use cases. Use NACLs as an additional layer for blocking specific IP ranges (e.g., blocking a bad actor’s IP at the subnet boundary).

← Previous What is the difference between IAM users, groups,... Next → How would you architect a highly available, multi-region...

Practice Similar Questions

What is the difference between horizontal and vertical scaling in...

Easy

How do you implement least-privilege IAM policies and why is...

Hard

Explain AWS Lambda cold starts and how to mitigate them...

Hard

Back to AWS Topics