What's the difference between security groups and network ACLs?
Short answer
Security groups are stateful firewalls attached to instances/ENIs: they allow rules only, and return traffic for an allowed flow is automatically permitted. Network ACLs are stateless filters at the subnet boundary: they have ordered allow and deny rules and you must explicitly allow return traffic on ephemeral ports. Security groups are the primary control; NACLs add coarse subnet-level guardrails like blocking an IP range.
This is a classic cloud networking question, and the answer hinges on one word: stateful versus stateless. Candidates who mix these up will write broken rules.
Security groups — stateful, instance-level
A security group attaches to an instance or network interface and acts as a stateful firewall:
- It contains allow rules only (there is no explicit deny — anything not allowed is implicitly denied).
- Because it's stateful, if you allow an inbound request, the corresponding return traffic is automatically permitted. You don't write a rule for the response.
- This is the primary, fine-grained control — you scope it to specific ports and source security groups or CIDRs.
Network ACLs — stateless, subnet-level
A network ACL sits at the subnet boundary and is stateless:
- It has numbered, ordered rules evaluated low-to-high, and supports both allow and deny — useful for blocking a specific malicious IP range across a whole subnet.
- Because it's stateless, it does not remember connections. If you allow inbound traffic, you must also explicitly allow the outbound return traffic on ephemeral ports (and vice versa). Forgetting this is the number-one NACL bug.
How they combine
Traffic to an instance must pass both: the subnet's NACL and the instance's security group. They are evaluated together, and a deny at either layer drops the packet. In practice, use security groups for almost everything and reserve NACLs for coarse subnet guardrails.
What interviewers look for
The stateful vs stateless distinction stated plainly, the consequence (return-traffic rules for NACLs), the allow-only vs allow/deny difference, and that both layers apply to a packet.
Likely follow-ups
- Why must a stateless NACL have rules for ephemeral return ports?
- If a packet is allowed by the NACL but denied by the security group, what happens?
- When would you reach for a NACL deny rule instead of a security group?