Security Groups vs. Network ACLs Infographic
Cloud Infrastructure Security

Security Groups vs. Network ACLs

Understanding the critical layers of defense-in-depth: Stateful vs. Stateless filtering.

Security Groups (SG)

The first line of defense for your specific resources.

  • Scope: Operates at the Instance Level (Interface).
  • State: Stateful. If you allow inbound, outbound is automatically allowed.
  • Rule Type: Supports “Allow” rules only (Implicit deny for everything else).

Network ACLs (NACL)

The gatekeeper for the entire subnet boundary.

  • Scope: Operates at the Subnet Level.
  • State: Stateless. Inbound and Outbound rules are evaluated independently.
  • Rule Type: Supports both “Allow” and “Deny” rules.

Traffic Flow Visualization

How a packet traverses the network to reach your data.

INTERNET Network ACL (Subnet Level) Security Group (Instance Level) EC2 INSTANCE STATELESS GATE STATEFUL SHIELD

Stateful Logic

Security Groups remember the “state” of a connection. If an inbound request is allowed on port 80, the SG automatically allows the response to exit, regardless of outbound rules. It is intelligent and context-aware.

Stateless Logic

NACLs have no memory. If you allow inbound traffic on port 80, you must explicitly create an outbound rule for the ephemeral ports (usually 1024-65535) to allow the response back to the client.

Expert Tip

Always use Security Groups as your primary filtering mechanism. Use NACLs as a “coarse-grained” safety net to block specific malicious IP ranges or to provide a secondary layer of subnet-wide isolation.

© 2023 Infrastructure Security Education | Designed for Front-End Data Visualization

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top