The Difference Between NACLs and Security Groups
Applying Security Group Rules and NACLs in Your VPC
To enhance the security of your VPC, you must understand the difference between network access control lists (NACLs) and security groups. They can both be deployed into one VPC, but have different functions.
AWS defines a security group as, “A security group acts as a virtual firewall for your instance to control inbound and outbound traffic.” Security groups are applied at the instance level and must be explicitly assigned to the instance. Security group rules are what control inbound and outbound traffic. Security groups are stateful, and by default, will block all traffic unless there is a rule to allow it.
AWS defines a NACL as, “…an optional layer of security for your VPC that acts as a firewall for controlling traffic in and out of one or more subnets.” NACLs are stateless, and they have the ability to block IP addresses.
Transcription
Your AWS environment will need both network ACLs and security groups. Network ACLs are automatically applied to the VPC when you set it up. You'll need to add your allow or deny roles. In contrast, the security group is only going to allow the traffic that gets past that network ACL to the instance. The security group is applied to the instance. So while the network ACL can allow or deny traffic, the security group can only allow traffic. It doesn't deny. Another big difference is that network ACLs are stateless while security groups are stateful. So security groups have an implicit deny, will block traffic completely unless there is an allow rule. But the biggest difference is that network ACLs have the ability to block IP addresses when they first come to your VPC.