Difference between Security Groups and Network Access Control List

A security group is like a virtual firewall for your EC2 instances. It provides security at the protocol and port access level. You can specify which protocols and ports are allowed for inbound and outbound traffic. By default, security groups allow all outbound traffic and no inbound traffic, unless you add rules to allow specific traffic. When you launch an instance, you can specify one or more security groups. You can also add or remove rules from a security group at any time.

We’ve built a platform for Cloud Detection & Response in AWS, Azure, and GCP — you can grab a demo here. You can also download free playbooks we’ve written on how to respond to security incidents in AWS, Azure, and GCP.

A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. You can create a network ACL and associate it with a subnet. You add rules to each network ACL to allow or deny traffic. Inbound and outbound traffic is allowed or denied by default.

Security groups and network ACLs both provide security at the network layer, but they differ in the following ways:

• A security group is associated with an EC2 instance, whereas a network ACL is associated with a subnet.

• You can modify the rules for a security group at any time; you can’t modify the rules for a network ACL until you disassociate it from the subnet.

• Security groups are stateful; network ACLs are stateless. This means that if you allow traffic in one direction, traffic is allowed in the other direction also. With a network ACL, you must explicitly allow traffic in both directions.

• You can’t block specific IP addresses using a security group; you can block specific IP addresses using a network ACL.