Amazon VPC Security Groups vs NACLs

Amazon VPC Security Groups vs NACLs

Security Groups and Network ACLs are both network controls in Amazon VPC, but they operate at different layers and with different rule models. Security Groups are stateful and instance-focused, while NACLs are stateless and subnet-focused.

Key Differences

  • Security Groups: Applied to ENIs/instances, stateful, allow rules only
  • NACLs: Applied to subnets, stateless, allow and deny rules

Because NACLs are stateless, return traffic must be explicitly allowed.

Layered Security Pattern

Use Security Groups as your primary control for east-west and north-south traffic. Use NACLs for coarse subnet guardrails, especially when explicit deny behavior is required.

Practical Guidance

  • Keep Security Group rules least-privilege and reference SGs where possible
  • Avoid overly complex NACLs that are hard to troubleshoot
  • Standardize rule naming and documentation for audits

Common Mistakes

  • Treating NACLs like Security Groups
  • Blocking ephemeral return ports by accident
  • Overlapping controls without clear ownership

Final Thoughts

Security Groups and NACLs are complementary, not competing tools. Use each at the right layer to build clean, understandable network defenses.