Security Groups vs NACLs: Which One Should You Use?

Key Takeaway

Security Groups are instance-level stateful firewalls, NACLs are subnet-level stateless firewalls. Security Groups only allow permit rules and automatically allow responses, while NACLs support permit/deny rules but require explicit response rules.

Core Differences Between Security Groups and NACLs

Comparison at a Glance

Comparison	Security Group	NACL
Applies to	Instance (ENI)	Subnet
State	Stateful	Stateless
Rule Types	Allow only	Allow + Deny
Rule Evaluation	All rules combined	By rule number order
Response Traffic	Auto-allowed	Explicit rule needed
Default Behavior	All inbound denied, all outbound allowed	Default ACL: allow all
Associations	Multiple per instance	One per subnet
Cost	Free	Free

Stateful vs Stateless: The Most Important Difference

Stateful (Security Group)

[Client] ─────► [EC2]
          Request (port 80)

[Client] ◄───── [EC2]
          Response (auto-allowed)

Inbound: Port 80 allowed → Response goes out automatically without outbound rule

Stateless (NACL)

[Client] ─────► [EC2]
          Request (port 80)
          Inbound rule needed!

[Client] ◄───── [EC2]
          Response (ephemeral port)
          Outbound rule needed!

Both inbound + outbound must be explicitly allowed

Security Groups: Instance-Level Firewall

Features

• Applies to: ENIs of EC2, RDS, Lambda (VPC), ElastiCache, etc.
• Allow rules only: No deny rules → cannot block specific IPs
• Multiple associations: Up to 5 per instance (16 upon request)
• Can reference other Security Groups: Use SG as source instead of IP

Default Behavior

Newly created Security Group:
├── Inbound: All traffic denied (default)
└── Outbound: All traffic allowed (default)

Rule Evaluation

All rules are evaluated together. When multiple Security Groups are attached, all rules are combined.

Security Group A: Port 22 allowed
Security Group B: Port 80 allowed
→ Result: Both port 22 + port 80 allowed

Security Group Rule Example

Web Server Security Group

Type	Protocol	Port	Source/Dest	Description
Inbound	TCP	80	0.0.0.0/0	Allow HTTP
Inbound	TCP	443	0.0.0.0/0	Allow HTTPS
Inbound	TCP	22	10.0.0.0/8	SSH (internal only)
Outbound	All	All	0.0.0.0/0	Allow all outbound

Referencing Security Groups as Source

You can specify another Security Group as source instead of IP.

Web-SG (web server):
└── Inbound: Port 80, Source = ALB-SG

Only resources attached to ALB-SG can access the web server
→ Flexible against IP changes!

NACLs: Subnet-Level Firewall

Features

• Applies to: Entire subnet (traffic entering/leaving subnet)
• Allow + Deny rules: Can explicitly block specific IPs
• One per subnet: Cannot attach multiple NACLs
• Rule numbers set priority: Lower numbers evaluated first

Default Behavior

Default NACL (auto-created with VPC):
├── Inbound: Rule 100 - Allow all traffic
├── Outbound: Rule 100 - Allow all traffic
└── * (asterisk): Deny all (final deny if no match)

Custom NACL (newly created):
├── Inbound: * - Deny all (default)
└── Outbound: * - Deny all (default)

Rule Evaluation

Rules are evaluated by rule number order, and immediately applied when matched—remaining rules are ignored.

Rule 100: Port 22 Allow
Rule 200: Port 22 Deny
→ Result: Port 22 allowed (Rule 100 matches first)

Rule 100: Port 22 Deny
Rule 200: Port 22 Allow
→ Result: Port 22 denied (Rule 100 matches first)

NACL Rule Example

Web Server Subnet NACL

Rule #	Type	Protocol	Port	Source/Dest	Allow/Deny
Inbound
100	TCP	80	0.0.0.0/0	Allow
110	TCP	443	0.0.0.0/0	Allow
120	TCP	22	10.0.0.0/8	Allow
130	TCP	1024-65535	0.0.0.0/0	Allow
*	All	All	0.0.0.0/0	Deny
Outbound
100	TCP	80	0.0.0.0/0	Allow
110	TCP	443	0.0.0.0/0	Allow
120	TCP	1024-65535	0.0.0.0/0	Allow
*	All	All	0.0.0.0/0	Deny

Why Ephemeral Ports Matter

When a client connects to a server, a temporary port for receiving responses is assigned.

Client → Server: Destination port 80
Server → Client: Destination port = Ephemeral port (1024-65535)

Ephemeral Port Ranges by OS:

OS	Port Range
Linux	32768-60999
Windows	49152-65535
AWS NAT Gateway	1024-65535

Traffic Flow Order

External → EC2 (Inbound)

Internet
  ↓
[1] NACL Inbound rule evaluation
  ↓ (pass)
[2] Security Group Inbound rule evaluation
  ↓ (pass)
EC2 Instance

EC2 → External (Outbound)

EC2 Instance
  ↓
[1] Security Group Outbound rule evaluation
  ↓ (pass)
[2] NACL Outbound rule evaluation
  ↓ (pass)
Internet

Intra-Subnet Communication

Communication between EC2s in the same subnet:
- NACL: Not evaluated (traffic doesn't leave subnet)
- Security Group: Evaluated (instance-level)

When to Use Each?

When Security Groups Are Sufficient

• Fine-grained per-instance access control needed
• No need to block specific IPs
• Dynamic IP handling via Security Group references

When NACLs Are Needed

• Need to block specific IPs/IP ranges (DDoS, malicious IPs)
• Subnet-level defense perimeter required
• 2-layer security for compliance

Recommended Architecture: 2-Layer Security

┌─────────────────────────────────────────┐
│                   VPC                    │
│  ┌─────────────────────────────────────┐│
│  │           Public Subnet              ││
│  │  NACL: Block known malicious IPs     ││
│  │  ┌───────────────────────────────┐  ││
│  │  │   EC2 (Web Server)            │  ││
│  │  │   SG: Allow 80, 443           │  ││
│  │  └───────────────────────────────┘  ││
│  └─────────────────────────────────────┘│
│  ┌─────────────────────────────────────┐│
│  │         Private Subnet               ││
│  │  NACL: Allow only private traffic    ││
│  │  ┌───────────────────────────────┐  ││
│  │  │   RDS (Database)              │  ││
│  │  │   SG: 3306, Source=WebServerSG│  ││
│  │  └───────────────────────────────┘  ││
│  └─────────────────────────────────────┘│
└─────────────────────────────────────────┘

Traffic Not Filtered

Both Security Groups and NACLs do not filter the following traffic:

• Amazon DNS (Route 53 Resolver)
• DHCP
• EC2 Instance Metadata (169.254.169.254)
• Amazon Time Sync Service
• Windows License Activation
• Reserved IP addresses for VPC router

SAA-C03 Exam Focus Points

1. ✅ Stateful vs Stateless: Security Group = Stateful (auto response), NACL = Stateless (response rule needed)
2. ✅ Scope: Security Group = Instance, NACL = Subnet
3. ✅ Rule Evaluation: Security Group = All combined, NACL = By number order
4. ✅ Deny Rules: Security Group = Allow only, NACL = Allow + Deny
5. ✅ Ephemeral Ports: NACL needs 1024-65535 allowed for response traffic

Frequently Asked Questions

Q: Can I block specific IPs with Security Groups?

No. Security Groups only support allow rules. To block specific IPs, use NACL deny rules.

Q: How should I set NACL rule numbers?

Use increments of 100 (100, 200, 300...). This allows flexibility to insert rules in between later (e.g., 150).

Q: What's the difference between default and custom NACLs?

• Default NACL: Auto-created with VPC, allows all by default
• Custom NACL: User-created, denies all by default

Q: Does NACL apply to traffic between EC2s in the same subnet?

No. NACLs only apply at subnet boundaries. Intra-subnet traffic is only subject to Security Groups.

Q: What's the advantage of referencing Security Groups as source?

No rule changes needed when IPs change. For example, when Auto Scaling adds/removes instances, access is automatically allowed if they're attached to the referenced Security Group.

Q: Do I need to use both?

Security Groups are mandatory, NACLs are optional. However, using both is recommended for defense in depth. NACLs are essential if you need to block specific IPs.

---

Related Posts

• VPC Basics: CIDR, Subnets, Route Tables
• VPC Endpoints: Interface vs Gateway
• NAT Gateway vs NAT Instance

---

References

• AWS Security Groups Documentation
• AWS Network ACLs Documentation
• Security Group vs NACL (Tutorials Dojo)
• AWS VPC Security Best Practices