Here in this post, you can read the differences between Security Group and Network Access Control List (NACL). As both features are used for security purposes in AWS Cloud, both are important to understand properly to use them.
| Security Group (SG) | NACL (Network ACL) |
| SG operates at Instance Level | NACL operates at subnet level |
| In SG we can add allow rules only | In NACL we can add allow rules and deny rules |
| SG is stateful: return traffic is automatically allowed, regardless of any rules | NACL is stateless: return traffic must be explicitly allowed by rules |
| Evaluates all rules before deciding whether to allow traffic | Processed rules in number order when deciding whether to allow traffic |
| Applies to an instance only if someone specifies the security group when launching the instance, or associates the SG with the instance later on | Automatically applies to all instances in subnets it’s associated with, so that there is no need to specify the SG by user |
If you think that anything has to be added in the above table feel free to add comment, and I will add your point too.