0Pricing
AWS Solutions Architect · Lesson

Network ACLs vs Security Groups

Compare stateless Network ACLs with stateful security groups and know when to use each for layered network defence.

Two Layers of Network Security

AWS provides two distinct firewall mechanisms within a VPC. Security Groups operate at the instance level (technically at the ENI level) and are stateful. Network Access Control Lists (NACLs) operate at the subnet level and are stateless. Both are evaluated for any traffic entering or leaving a subnet and its associated instances. Using both in concert provides defence-in-depth: NACLs as a first line at the subnet boundary, security groups as the per-instance firewall. The SAA-C03 exam frequently compares these two mechanisms.

Network ACLs: Subnet-Level Stateless Firewall

A Network ACL (NACL) is a numbered list of rules applied to all traffic crossing the boundary of a subnet. NACLs are stateless—each packet is evaluated independently. If you allow inbound TCP port 80, you must explicitly allow outbound return traffic (ephemeral ports 1024-65535) for the response to leave the subnet. Rules are evaluated in numerical order (lowest number first); the first matching rule applies and no further rules are checked. Each VPC comes with a default NACL that allows all inbound and outbound traffic.

# Deny all traffic from a specific IP in the NACL
aws ec2 create-network-acl-entry \
  --network-acl-id acl-12345678 \
  --ingress \
  --rule-number 90 \
  --protocol tcp \
  --cidr-block 203.0.113.10/32 \
  --rule-action deny \
  --port-range From=0,To=65535

All lessons in this course

  1. VPC Architecture and CIDR Blocks
  2. Internet Gateway and Route Tables
  3. NAT Gateway and Private Subnets
  4. Network ACLs vs Security Groups
← Back to AWS Solutions Architect