When to use NACL (NACL Use-cases)
1) When you want to operate or restrict traffic at subnet level.
2) When you want some firewall or protection to subnets.
3) When you want to apply rules automatically to all the instance in the subnet it is associated with.
4) When you want to have stateless rules - Any changes applied in the inbound rule will not reflect in the outbound rule.
5) Example: If a request comes through port 80, it should be explicitly indicated that its outgoing response would be the same port 80.
6) When you want to apply the rules in the order of their priority, wherein priority is indicated by the number the rule is assigned.
7) It is the first layer of security. When you want to deny traffic before the traffic reaches to Subnet or security group.
When to use SG (Security Group Use-cases)
1) When you want to operate or restrict traffic at instance level.
2) When you want to apply some firewall or protection to instances.
3) Security group is applied to an instance only when you specify a security group while launching an instance
4) When you want the rule to be stateful- Any changes applied in the inbound rule will be automatically reflected in the outbound rule.
5) Example: If the incoming port of a request is 80, the outgoing response of that request is also 80 (it is opened automatically) by default.
6) When you don't want the rules to be in specific priority. In security group all the rules are assigned to the instance associated with it without any priority or precedence.
Which is best to use — NACL & SG?
The best thing to use is both in a combination and with the properly defined restriction to be applied at subnet and instance level.