What is the difference between Network ACLs and Security Groups in AWS? AWS Interivew Question

What is the difference between Network ACLs and Security Groups in AWS? Amazon Web Services Interview Question

  • Network ACLs: A network access control list (ACL) is an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets. You might set up network ACLs with rules similar to your security groups in order to add an additional layer of security to your VPC. For more information about the differences between security groups and network ACLs, see Comparison of Security Groups and Network ACLs.
  • Security Groups: A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign the instance to up to five security groups. Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC could be assigned to a different set of security groups. If you don't specify a particular group at launch time, the instance is automatically assigned to the default security group for the VPC.
The following table summarizes the basic differences between network ACLs and security groups.
Network ACLSecurity Group
Operates at the subnet level (second layer of defense) Operates at the instance level (first layer of defense)
Supports allow rules and deny rules Supports allow rules only
Is stateless: Return traffic must be explicitly allowed by rules Is stateful: Return traffic is automatically allowed, regardless of any rules
We process rules in number order when deciding whether to allow traffic We evaluate all rules before deciding whether to allow traffic
Automatically applies to all instances in the subnets it's associated with (backup layer of defense, so you don't have to rely on someone specifying the security group) Applies to an instance only if someone specifies the security group when launching the instance, or associates the security group with the instance later on



Contact Form