EN_AWS_Network

AWS Network ACL vs Security Group

6. AWS Network ACL vs Security Group

Security Group(Stateful)	AWS Network ACL(Stateless)
Applied per instance (first layer of security)	Applied per subnet (second layer of security)
Only supports allow rules	Supports both allow and deny rules
Automatically allows responses to outbound requests	Requires explicit rule for outbound responses
Evaluates all rules to allow traffic	Allows or denies traffic based on rule number order
Applies only to specified instances	Automatically applies to all instances in the subnet

flowchart TB
    subgraph Region
        subgraph VPC ["VPC (10.0.0.0/16)"]

            IGW((("Internet Gateway")))

            Router[("Router")]

            IGW <--> Router

            subgraph Subnet1 ["Subnet"]
                SG1["Security Group"]
                EC2_1A(["EC2"])
                EC2_1B(["EC2"])
                SG1 <--> EC2_1A
                SG1 <--> EC2_1B
            end

            subgraph Subnet2 ["Subnet"]
                SG2["Security Group"]
                EC2_2A(["EC2"])
                EC2_2B(["EC2"])
                SG2 <--> EC2_2A
                SG2 <--> EC2_2B
            end

            RouteTable1["Route Table"]
            RouteTable2["Route Table"]

            ACL1[("Network ACL")]
            ACL2[("Network ACL")]

            Router <--> RouteTable1 <--> ACL1 <--> Subnet1
            Router <--> RouteTable2 <--> ACL2 <--> Subnet2
        end
    end

Loading

→ Back to List