← Lessons

quiz vs the machine

Gold1450

Networking

The Security Groups vs NACLs

Stateful instance firewalls versus stateless subnet filters.

5 min read · core · beat Gold to climb

Two Layers of Filtering

Cloud networks offer two firewall layers. A security group wraps an individual instance, while a network access control list guards a whole subnet. They look similar but behave very differently.

Stateful vs Stateless

The key difference is whether the layer remembers connections.

  • A security group is stateful, so if you allow a request out, the reply is automatically allowed back.
  • A network access control list is stateless, so you must allow both the inbound and the matching outbound flow.
  • Security groups support allow rules only, while NACLs support both allow and deny rules.

Where They Sit

A security group attaches to a network interface on an instance. A NACL attaches to a subnet boundary and evaluates rules in numbered order, stopping at the first match. Many designs use NACLs for coarse subnet wide blocks and security groups for fine grained instance access.

Key idea

A security group is a stateful, allow only firewall on the instance, while a network access control list is a stateless, ordered, allow and deny filter on the subnet edge.

Check yourself

Answer to earn rating on the learn ladder.

1. Which one is stateful?

2. Which layer can express deny rules?

3. Where does a NACL apply?