Layering Both for Defense in Depth

Defense in depth means stacking independent controls so a failure or gap in one does not expose the workload. In a VPC, security groups and network ACLs are two such layers, joined by route tables, WAF, and Network Firewall to form overlapping barriers around your resources.

Security groups give fine, per-resource, stateful control with allow-only rules. NACLs give coarse, subnet-wide, stateless control with both allow and deny. Using them together lets you set a broad subnet baseline while tuning each resource precisely.