You want to control where traffic goes (direction/path).
| Scenario | Route Table Change |
|---|---|
| Private EC2 needs internet via NAT | Add 0.0.0.0/0 → NAT Gateway in private subnet RT |
| Public EC2 needs internet | Add 0.0.0.0/0 → IGW in public subnet RT |
| Two VPCs need to talk (VPC Peering) | Add the other VPC's CIDR → peering connection |
| On-premise network via VPN | Add on-prem CIDR → VPN Gateway |
Trigger thought: "Where should this traffic be sent?"
You want to control whether traffic is allowed at an instance.
| Scenario | SG Change |
|---|---|
| Allow SSH to a bastion host | Inbound SSH from your IP |
| Allow your app to talk to RDS | Inbound 3306 from app's SG |
| Block all traffic except HTTPS | Remove all inbound except port 443 |
Trigger thought: "Should this instance accept or reject this traffic?"