A security group controls the traffic that is allowed to reach and leave the resources that it is associated with. It acts as a Firewall in front of your resources.
A network ACL allows or denies specific inbound or outbound traffic at the subnet level
Looks kind of they are doing the same thing.. right?
While they might look similar to each other, there are actually many differences between those 2 terms.
| Compare by | Security Groups | Network ACLs |
|---|---|---|
| Layer | Security groups act on instance level | Network ACLs act on the subnet level |
| Scope | You can attach a security group to specific instances | Since network ACLs act on the subnet level, they're applied on all the instances in that subnet |
| State | Security groups are stateful, which means allowing inbound traffic on a specific port will be enabled by default for the outbound traffic and vice versa. | Network ACLs are stateless, allowing inbound traffic on a specific port won't allow outbound traffic for that port. |
| Network Performance | - | Network ACLs have a larger impact because they act on the subnet level and will be applied on all of that subnet resources. |
While both contribute to network security, they are often used in conjunction to provide layered security controls. Security groups are like a firewall around instances, while network ACLs provide additional control at the subnet level. Understanding the nuances between them allows for a more comprehensive and fine-grained approach to network security in cloud environments.