0PricingLogin
AWS Security Academy · Lesson

Stateful versus Stateless Behavior

Grasp why return traffic is handled differently by each control.

Two Models

The deepest difference between security groups and network ACLs is state tracking. Security groups are stateful; network ACLs are stateless. This single property changes how you write rules, troubleshoot dropped traffic, and reason about return packets.

What Stateful Means

Stateful means the firewall remembers each connection it permits. When a security group allows an inbound request, it automatically allows the matching response back out, tracking the connection in a state table. You never write a rule for return traffic.

All lessons in this course

  1. How Security Groups Filter Traffic
  2. How Network ACLs Filter Subnets
  3. Stateful versus Stateless Behavior
  4. Layering Both for Defense in Depth
← Back to AWS Security Academy