Differences between security groups and network ACLs, and their comparison


What is a security group?

Security groups are mechanisms to control instance traffic

Only allowing communication within the same security group by default is a feature of security groups

Security groups are stateful and do not take into account return traffic


Comparison with Network ACLs

service name security group network ACL
Main Functions Controlling access to EC2 communications
Applies on a per-server basis
Control access for communication across subnets

Applied on a per VPC/subnet basis

Communication control method stateless

(not considering return communication)

(If only inbound is set up, outbound is also allowed)

Permission set In/out


(Explicitly set up return communication)

(Setting inbound does not set outbound)

Allow and deny in/out

Order of application All rules apply. Applies as per numbering sequence.
Applicable speed immediate reflection
Specify Allow only IN/OUT

(White list method)

Specify Allow/Deny with iN/OUT

(Blacklist method)