Security Groups
- Operate at the instance level.
- Stateful: if inbound traffic is allowed, return traffic is automatically allowed (and vice versa).
- Default behavior: deny all inbound, allow all outbound (can be changed).
- Rules reference protocol, port range, and source/destination (CIDR or SG).
- Cannot explicitly deny traffic β only allow.
Network ACLs
- Operate at the subnet level.
- Stateless: rules must explicitly allow both inbound and outbound traffic for return flows.
- Rules are evaluated in ascending order; the first match wins.
- Rule numbers: 1β32766, AWS recommends increments of 100 for flexibility.
- Default NACL: allows all inbound and outbound traffic.
- New custom NACL: denies all inbound and outbound by default.
- Can explicitly allow or deny traffic β useful for blocking IPs at subnet level.
- Last implicit rule is βdeny all.β
Traffic Flow
Inbound: Internet β NACL inbound rules β SG inbound rules β EC2.
Outbound: EC2 β SG outbound rules β NACL outbound rules β Internet.