Azure for AWS professionals - Networking - AWS - 06 Network ACLs vs Security Groups

@20aman    Oct 07, 2019

Note that this post is a part of the series. You can view all posts in this series here: Azure for AWS professionals - Index

Network ACLs (or Access Control Lists) and Security Groups are very similar in their functionality. Both are acting as a firewall and restricting the traffic. There are few key differences between the two that we need to understand so that we can create and apply this appropriately to any situation at hand.


Network ACLs are applied at the Subnet level. These restrict the traffic, coming in or out of the subnet. ACLs are therefore automatically applied to all resources (e.g. EC2 instances) in the subnet.

Whereas the Security Groups are applied at the EC2 instances level.

Network ACLs act as a secondary layer of defense. Also, if anyone forgets to apply Security Groups at the EC2 instances then Network ACLs assist in setting up standards in terms of allowed and blocked traffic in your environment.

Traffic Diagram with Network ACLs and Security Groups

(Image source:

Rule Types

In a Security Group, all the traffic is automatically denied. You can only define "Allow" rules. And the traffic is allowed as per these rules.

Whereas in Network ACLs you decide and configure for each rule if the traffic is Allowed or Denied

Rules Evaluation

In a Security Group, all rules are evaluated, regardless of their order, to determine what traffic is allowed. As all traffic is denied by default and you can only specify allow rules (with no priority or rule number), all the rules need to be evaluated to determine if the traffic is allowed or not.

In contrast, in Network ACLs, the rules are evaluated in order. If a matching rule is found for the traffic, then subsequent rules are NOT evaluated and the traffic is either Allowed or Denied as mentioned in the first matching rule.


A Security Group is Stateful. Return traffic is automatically allowed, regardless of any rules. In contrast, the Network ACLs are Stateless. Return traffic must be explicitly allowed by the rules.

For more information please check the official information here: Internetwork Traffic Privacy in Amazon VPC

Comments powered by Disqus