AWS — Difference between Security Groups (SGs) and Network Access Control Lists (NACLs)

Security is job zero.

TLDR:

Security group is the firewall of EC2 Instances.

Network ACL is the firewall of the VPC Subnets.

Security groups are stateful: This means any changes applied to an incoming rule will be automatically applied to the outgoing rule. e.g. If you allow an incoming port 80, the outgoing port 80 will be automatically opened.

Network ACLs are stateless: This means any changes applied to an incoming rule will not be applied to the outgoing rule. e.g. If you allow an incoming port 80, you would also need to apply the rule for outgoing traffic.

---

For more in-depth explanations this post explains the differences really well. Cheers!