AWS: Security group Functionality Vs Network ACL

Here’re the differences between AWS Network ACL and security group. This is the best interview question.

AWS Security group

  • It’s an instance level
  • It’s a basic security layer
  • it’s Stateful. That means – return traffic is automatically allowed regardless of rules.
  • The security of Security group level is the responsibility of AWS
  • AWS validates all rules whether to allow traffic

Security group is a first level of security at instance level.

AWS Network ACL

  • it’s also called Network Access Control Layer
  • It’s an additional security layer at the subnet level (important interview question)
  • It acts as a firewall to the entire subnet.
  • Since it’s the top layer over the Security group, the first priority goes to ACL.
  • Once created the ACL, it applies to all the instances in that subnet.
  • It’s Stateless; return traffic must be allowed explicitly.
  • With this, you can allow the traffic or deny the traffic.

Network ACL is additional security layer at Subnet Level

Schematic Diagram of Subnet and Instances

Security group vs Network ACL

Simple explanation is, a subnet is having multiple instances. Security group is at instance level and ACL is at subnet level. Here, VPC means Virtual private cloud.

Related Posts

Get new content delivered directly to your inbox.

Useful Resources

Security Groups

Author: Srini

Experienced software developer. Skills in Development, Coding, Testing and Debugging. Good Data analytic skills (Data Warehousing and BI). Also skills in Mainframe.