Security Groups vs NACLs
Understand the two layers of VPC network security — stateful security groups at the instance level and stateless NACLs at the subnet level.
Learning outcomes
By the end of this lesson, you will be able to:
- Explain the difference between stateful and stateless firewalls.
- Describe how security groups work at the instance level.
- Describe how NACLs work at the subnet level.
- Compare security groups and NACLs in a side-by-side table.
- Choose the correct tool for common exam scenarios.
Quick recap: security groups
You met security groups in Module 4.1. Here's the essential recap:
- Level: Attached to individual instances (ENIs).
- Rules: Allow-only — you cannot create deny rules.
- State: Stateful — if inbound traffic is allowed, the response is automatically allowed out.
- Default: No inbound rules (all blocked), one outbound rule allowing all traffic.
Tip
Think of a security group as a bouncer at a door. The bouncer only has an invite list (allow rules). If you're not on the list, you don't get in. And if you were let in, you're automatically allowed to leave.
Introducing NACLs
A Network Access Control List (NACL) is a firewall at the subnet level. Every subnet in your VPC is associated with exactly one NACL.
How NACLs differ from security groups
- Level: Applied to the entire subnet — all traffic entering or leaving the subnet passes through the NACL.
- Rules: Support both allow and deny rules.
- State: Stateless — inbound and outbound rules are evaluated independently. If you allow inbound traffic, you must also explicitly allow the outbound response.
- Evaluation: Rules are evaluated in number order (lowest first). The first matching rule wins.
Default NACL vs custom NACL
| Default NACL | Custom NACL | |
|---|---|---|
| Created with | Every new VPC | Manually by you |
| Default behavior | Allows all inbound and outbound traffic | Denies all inbound and outbound traffic |
| Use case | Works out of the box | Requires explicit rules before any traffic flows |
Warning
If you create a custom NACL and associate it with a subnet without adding rules, all traffic will be blocked. This is a common mistake that breaks connectivity.
NACL rule evaluation
NACL rules are processed in ascending numerical order. The first rule that matches the traffic is applied, and no further rules are checked.
| Rule # | Type | Protocol | Port | Source | Action |
|---|---|---|---|---|---|
| 100 | Inbound | TCP | 443 | 0.0.0.0/0 | Allow |
| 110 | Inbound | TCP | 80 | 0.0.0.0/0 | Allow |
| 120 | Inbound | TCP | 22 | 203.0.113.5/32 | Allow |
| 200 | Inbound | All | All | 198.51.100.0/24 | Deny |
| * | Inbound | All | All | 0.0.0.0/0 | Deny |
- Rule 100 is checked first. If the traffic matches, it's allowed — done.
- Rule 200 denies a specific IP range.
- The
*(asterisk) rule is the catch-all — if no numbered rule matches, this rule denies the traffic.
Note
Exam tip: Lower-numbered rules are evaluated first. If you need to block a specific IP, place the deny rule with a lower number than any allow rule that might match the same traffic.
Side-by-side comparison
| Feature | Security Group | NACL |
|---|---|---|
| Operates at | Instance (ENI) level | Subnet level |
| State | Stateful | Stateless |
| Rule types | Allow only | Allow and Deny |
| Rule evaluation | All rules evaluated together | Rules evaluated in number order (first match wins) |
| Default inbound | All denied | Default NACL: all allowed; Custom NACL: all denied |
| Default outbound | All allowed | Default NACL: all allowed; Custom NACL: all denied |
| Association | One or more instances | One subnet (each subnet has exactly one NACL) |
When to use each — exam patterns
Use a security group when:
- You need to control access per instance (e.g., allow only your web servers to talk to your database).
- You want to reference other security groups as sources (e.g., "allow traffic from the web-server security group").
Use a NACL when:
- You need to block a specific IP address or range — security groups cannot deny traffic.
- You want a subnet-wide rule that applies to all resources in that subnet.
- You need an additional layer of defense alongside security groups (defense in depth).
Tip
On the CCP exam, if a question mentions blocking or denying specific traffic, the answer is almost always a NACL. Security groups are allow-only.
Summary
Security groups and NACLs are complementary layers of network security:
- Security groups = instance-level, stateful, allow-only.
- NACLs = subnet-level, stateless, allow + deny.
Together they form a defense-in-depth strategy. Most production VPCs use both.
Knowledge Check
Next lesson
Lesson 3: Amazon Route 53 — DNS and Routing