Security groups vs NACLs (when to use which)

Topic: Cloud aws core

Security groups are stateful and apply to instances; NACLs are stateless and apply at the subnet level. Use security groups for most rules; add NACLs for subnet-level allow/deny or when you need rule numbers for order. Use this when designing VPC network security.

Intent: Decision

Quick answer

  • Security group: stateful (reply allowed automatically); attached to ENI/instance; allow by port, protocol, and source SG or CIDR. Use for instance-level firewall; evaluate per instance; no deny rule (only allow).
  • NACL: stateless (must allow both inbound and outbound for a flow); attached to subnet; rules have a number (e.g. 100 allow, 200 deny); first match wins. Use for subnet-level block (e.g. deny a range to entire subnet) or when you need explicit deny.
  • Typical: use security groups for almost everything; add NACL only for subnet-wide rule or to block before traffic hits instances. Both can apply; NACL is evaluated before security group.

Prerequisites

Steps

  1. Prefer security groups

    Attach SGs to instances; allow required ports and sources. Stateful so you do not need a rule for return traffic. Use SG as source for tier-to-tier (e.g. allow from web SG to app SG).

  2. When to add NACL

    Subnet-level: block a CIDR for the whole subnet. Or explicit deny before allow (NACL has deny rules). Rule order: lower number evaluated first; use 100, 200, etc. Remember stateless: allow both inbound and outbound for same flow.

  3. Order of evaluation

    Traffic hits NACL first (subnet), then security group (instance). If NACL denies, traffic never reaches the instance. Design so NACL does not block required traffic; test from client.

Summary

Use security groups for instance-level, stateful rules; use NACLs for subnet-level or explicit deny. Use this to choose the right tool when designing VPC security.

Prerequisites

Steps

Step 1: Prefer security groups

Use SGs for allow rules; use SG as source for tier-to-tier traffic.

Step 2: When to add NACL

Use NACL for subnet-wide block or explicit deny; set rule numbers and allow both directions for a flow.

Step 3: Order of evaluation

NACL is evaluated before the security group; ensure required traffic is allowed by both.

Verification

  • Required traffic is allowed; blocked traffic is denied at the intended layer (NACL or SG).

Troubleshooting

Traffic blocked — Check NACL and SG; remember NACL is stateless (need inbound and outbound rules). Rule not working — Check rule order in NACL; first match wins.

Next steps

Continue to