AWS ACL vs security group
Security group like a virtual firewall. It has inbound and outbound security rules in which all inbound traffic is blocked by default in private on AWS EC2. It does not allow particular protocol no one will able to access our instances using this protocol you can stop traffic by using that rule by default everything that is denied. There are various multiple security groups on EC2 instances.we can not block a specific IP address using that security group but using the network access list. In which we edit any rule a security group with faster effect.
Network Access Control List (Network ACL)
Network ACL is a modifiable default network. It allows all the inbound or outbound IPv4 traffic and here we create a type of custom network all or each custom network ACL denies all inbound and outbound traffic. This network is the stateless and separate inbound and outbound rule with a default limit of 20 for both rules and starting with the lowest numbered rule. In which all subnet in VPC must be combined with network ACL one subnet -one network ACL at a time. It supports rules and deny rules and operate the subnet level.
Difference between Security Group and Network ACL
*In security group, we operates at instance level.
*It support only allow rules.
*It is stateful, when we create an inbound or an outbond rule.
*We can block specific IP address using SGs
*All rules are evaluted before deciding to permit trffic.
*It start with instance launch confriguation.
*It applies when someone specifies security group when launching the instance and it assoicates with security group.
Network Access Control List
*In network ACL, we operate sub net level.
*It support allow rules and deny rules.
*It is stateless, it return traffic must be allowed explicitly
*We can block specific IP Address using NACL.
*Rules are processed in number order when deciding wheather allow traffic.
*In which we assigned to subnet for all instance.
*They do not depend on user it automatically apply all instances with subnet.