Skip to content

Difference Between Security Groups and Network ACL in AWS

Application Based Stickyness in ALB in AWS

The following table summarizes the basic differences between security groups and network ACLs.

Security GroupsNetwortk ACL (Access Control List)
Operates at the instance levelOperates at the subnet level
Applies to an instance only if it is associated with the instanceApplies to all instances deployed in the associated subnet (providing an additional layer of defense if security group rules are too permissive)
Supports allow rules onlySupports allow rules and deny rules
Evaluates all rules before deciding whether to allow trafficEvaluates rules in order, starting with the lowest numbered rule, when deciding whether to allow traffic
Stateful: Return traffic is allowed, regardless of the rulesStateless: Return traffic must be explicitly allowed by the rules
Table 1

The following diagram illustrates the layers of security provided by security groups and network ACLs. For example, traffic from an internet gateway is routed to the appropriate subnet using the routes in the routing table. The rules of the network ACL that is associated with the subnet control which traffic is allowed to the subnet. The rules of the security group that is associated with an instance control which traffic is allowed to the instance.


                Traffic is controlled using security groups and network ACLs