What is AWS Security Groups vs Network ACLs?

Both Security Groups and Network ACLs (NACLs) control network traffic in a VPC but at different levels: Security Groups (instance-level): virtual stateful firewall applied to an EC2 instance (or other resources like RDS, ELB). Stateful: if you allow inbound traffic, the outbound response is automatically allowed (tracks connection state). Allow rules only — no deny rules. If no rule matches, traffic is denied. Evaluated as a whole — all rules checked. Source/destination can be IP CIDR or another security group (powerful for referencing: "allow traffic from the web security group"). Applied to individual resources, multiple resources can share a security group. Example: allow port 443 from 0.0.0.0/0 (any HTTPS), allow port 5432 from database security group only. Network ACLs (subnet-level): stateless firewall applied to all traffic entering/leaving a subnet. Stateless: must explicitly allow both inbound AND outbound traffic (including ephemeral ports 1024-65535 for return traffic). Allow and deny rules — can explicitly block specific IPs. Rules evaluated in order (lowest rule number first); first match wins. Applies to all instances in the subnet — cannot selectively apply. Default NACL: allows all inbound and outbound. Defense in depth: use both. NACL as a coarse subnet-level filter; Security Groups for fine-grained instance-level control. Remember: Security Groups = stateful, instance-level, allow-only; NACLs = stateless, subnet-level, allow+deny. Security Groups are checked first (most specific) when a packet arrives at an EC2 instance.