← Lessons

quiz vs the machine

Gold1400

Security

The Security Groups and NACLs

How stateful security groups and stateless network ACLs filter traffic at different layers of a cloud network.

5 min read · core · beat Gold to climb

Two Layers of Filtering

Cloud networks offer two firewall mechanisms. A security group wraps an instance, while a network access control list wraps a subnet. They work together as defense in depth.

Security Groups Are Stateful

A security group is stateful, meaning it remembers connections. If you allow an inbound request, the matching response is automatically allowed back out.

  • You only define the directions you care about.
  • Security groups support allow rules only.
  • They attach to instances or interfaces.

Network ACLs Are Stateless

A network ACL is stateless, so it evaluates every packet independently. You must write rules for both the request and the response directions.

  • NACLs support both allow and deny rules.
  • Rules are evaluated in numbered order, first match wins.
  • They apply to an entire subnet.

Choosing Between Them

Use security groups for everyday instance level access. Use NACLs for coarse subnet wide blocks, such as denying a known bad address range before traffic reaches any instance.

Key idea

Security groups are stateful instance firewalls with allow rules, while network ACLs are stateless subnet filters with allow and deny rules, and layering both gives defense in depth.

Check yourself

Answer to earn rating on the learn ladder.

1. What does stateful mean for a security group?

2. What can a network ACL do that a security group cannot?

3. At what level does a network ACL apply?