a side-by-side comparison of NACL and Security Group (SG) in AWS:
| Feature | NACL (Network Access Control List) | Security Group (SG) |
|---|---|---|
| Scope | Subnet-level | Instance-level |
| Statefulness | Stateless (Each request is evaluated independently) | Stateful (Responses are automatically allowed) |
| Rules | Can have both Allow and Deny rules, evaluated in order | Only Allow rules (no Deny), all rules are applied to instances |
| Traffic Direction | Can control inbound and outbound traffic for the entire subnet | Controls inbound and outbound traffic to EC2 instances |
| Evaluation Order | Rules are evaluated in numerical order | All rules are evaluated collectively |
| Default Behavior | Default NACL allows all inbound and outbound traffic, but this can be modified | Default Security Group allows all outbound, but no inbound traffic unless specified |
| Common Use | Typically used for controlling traffic at the subnet level | Used for controlling traffic to individual instances (e.g., EC2) |
| Support for Multiple Rules | Supports multiple rules for both Allow and Deny | Supports multiple Allow rules only |