Difference between Security Group and Network ACL in AWS

1. Security Group :
Security group like a virtual firewall. It has inbound and outbound security rules in which all inbound traffic is blocked by default in private on AWS EC2. It does not allow particular protocol no one will able to access our instances using this protocol you can stop traffic by using that rule by default everything that is denied. There are various multiple security groups on EC2 instances.we can not block a specific IP address using that security group but using the network access list. In which we edit any rule a security group with faster effect.

2. Network Access Control List (Network ACL) :
Network ACL is a modifiable default network. It allows all the inbound or outbound IPv4 traffic and here we create a type of custom network all or each custom network ACL denies all inbound and outbound traffic. This network is the stateless and separate inbound and outbound rule with a default limit of 20 for both rules and starting with the lowest numbered rule. In which all subnet in VPC must be combined with network ACL one subnet -one network ACL at a time. It supports rules and deny rules and operate the subnet level.

Difference between Security Group and Network ACL :

Security Group Network Access Control List
In security group, we operates at instance level. In network ACL, we operate sub net level.
It support only allow rules. It support allow rules and deny rules.
It is stateful, when we create an inbound or an outbond rule. It is stateless, it return traffic must be allowed explicitly.
We can block specific IP address using SGs. We can block specific IP Address using NACL.
All rules are evaluted before deciding to permit trffic. Rules are processed in number order when deciding wheather allow traffic.
It start with instance launch confriguation. In which we assigned to subnet for all instance.
It applies when someone specifies security group when launching the instance and it assoicates with security group. They do not depend on user it automatically apply all instances with subnet.

Attention reader! Don’t stop learning now. Get hold of all the important CS Theory concepts for SDE interviews with the CS Theory Course at a student-friendly price and become industry ready.

My Personal Notes arrow_drop_up

Check out this Author's contributed articles.

If you like GeeksforGeeks and would like to contribute, you can also write an article using contribute.geeksforgeeks.org or mail your article to contribute@geeksforgeeks.org. See your article appearing on the GeeksforGeeks main page and help other Geeks.

Please Improve this article if you find anything incorrect by clicking on the "Improve Article" button below.