What is the difference between Network ACLs and Security Groups in AWS? Amazon Web Services Interview Question
- Network ACLs: A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC. For more information about the differences between security groups and network ACLs, see Comparison of Security Groups and Network ACLs.
- Security Groups: A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign the instance to up to five security groups. Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC could be assigned to a different set of security groups. If you don't specify a particular group at launch time, the instance is automatically assigned to the default security group for the VPC.
|Network ACL||Security Group|
|Operates at the subnet level (second layer of defense)||Operates at the instance level (first layer of defense)|
|Supports allow rules and deny rules||Supports allow rules only|
|Is stateless: Return traffic must be explicitly allowed by rules||Is stateful: Return traffic is automatically allowed, regardless of any rules|
|We process rules in number order when deciding whether to allow traffic||We evaluate all rules before deciding whether to allow traffic|
|Automatically applies to all instances in the subnets it's associated with (backup layer of defense, so you don't have to rely on someone specifying the security group)||Applies to an instance only if someone specifies the security group when launching the instance, or associates the security group with the instance later on|