#####   ######  #####    ###    #   #  ###  #   #  ######
##  ##  ##      ##  ##  ## ##   #   #   #   #   #  ##
#####   ####    #####   #   #   #   #   #   #   #  ####
##  #   ##      ##      ## ##    # #    #    # #   ##
##   #  ######  ##       ###      #    ###    #    ######

$ curl repovive.com/roadmaps/network-design/cloud-networking/security-groups-vs-nacls

░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░░█████████████████████████████████████████████████████████████████████████████████████

#####   ######  #####    ###    #   #  ###  #   #  ######
##  ##  ##      ##  ##  ## ##   #   #   #   #   #  ##
#####   ####    #####   #   #   #   #   #   #   #  ####
##  #   ##      ##      ## ##    # #    #    # #   ##
##   #  ######  ##       ###      #    ###    #    ######

$ curl repovive.com/roadmaps/network-design/cloud-networking/security-groups-vs-nacls

Repovive

Security Groups vs NACLs - Cloud Networking | Network Design | Repovive

Repovive.

Network Design26 sections · 911 units44h total

Open in Course

Security Groups vs NACLs

Choosing the right control

Security groups and NACLs both filter traffic but work differently.

Feature	Security Group	NACL
Level	Instance	Subnet
State	Stateful	Stateless
Rules	Allow only	Allow and deny
Evaluation	All rules	Ordered

Use security groups for:

Primary traffic control
Application-tier isolation
Referencing other groups

Use NACLs for:

Blocking malicious IPs
Subnet-wide restrictions
Explicit deny rules

Most teams use security groups as primary and add NACLs for deny rules.