Security groups and Network ACLs control traffic in cloud environments.
Security groups are virtual firewalls applied directly to your specific instances. They control what traffic can come in and out of an example and are stateful, meaning if you allow inbound traffic, the related outbound traffic is allowed automatically. Security groups only let you create "allow" rules, so they're focused on defining what's permitted, for instance.
Network ACLs apply at the subnet level, covering all instances in that subnet. These rules are stateless, meaning that you need to explicitly declare both inbound and outbound rules. They can be either "allow" or "deny" rules, providing you more flexibility when creating access policies.
Feature |
Security Groups |
Network ACLs |
Scope |
Instance level |
Subnet level |
State |
Stateful |
Stateless |
Rules |
Allow only |
Allow and deny |
Application |
Specific instances |
All instances in a subnet |
Order of Rules |
No priority; all applied |
Evaluated by rule number |