Cargando...
Cargando...
Master stateful vs stateless firewall logic — the concept that separates passing candidates from failing ones
Stateful instance-level shield vs stateless subnet-level gatekeeper
| Feature | Security Groups Stateful firewall for EC2 instances | NACLs Stateless firewall for VPC subnets |
|---|---|---|
State Behavior This is the #1 tested concept. If inbound is allowed on SG, the response traffic flows back automatically. On NACLs, you MUST add an outbound rule for ephemeral ports (1024–65535) to allow return traffic. | STATEFUL — return traffic is automatically allowed regardless of outbound rules | STATELESS — return traffic must be explicitly allowed via separate outbound rule |
Applies To SGs attach to ENIs, not EC2 instances directly. One ENI can have multiple SGs. NACLs apply at subnet boundary — traffic entering or leaving the subnet is evaluated. | Individual ENIs (Elastic Network Interfaces) — effectively per instance/resource | Entire subnet — all resources within the subnet are affected |
Rule Types CRITICAL: If you need to block a specific IP address, you MUST use a NACL — Security Groups cannot explicitly deny traffic. This is a frequent exam scenario. | ALLOW rules only — you cannot create explicit DENY rules | Both ALLOW and DENY rules — explicit deny is possible and evaluated by rule number |
Rule Evaluation Order On NACLs, if rule #100 allows port 80 and rule #200 denies port 80, port 80 IS allowed because rule #100 is matched first. Rule ordering matters critically. | All rules evaluated together — most permissive match wins (no ordering) | Rules evaluated in ascending numeric order — first match wins, then stops processing |
Default Behavior (New Resource) TRAP: A newly created custom NACL denies everything by default — the opposite of the default NACL. Many candidates confuse these two behaviors. | Default SG: allows all outbound, denies all inbound. Custom SG: denies all inbound AND outbound until rules added | Default NACL: allows ALL inbound and outbound traffic. Custom NACL: denies ALL inbound and outbound traffic |
Scope of Protection Use NACLs as a first line of defense at the subnet boundary, SGs as the second line at the resource level. Defense-in-depth architecture uses BOTH. | Micro-segmentation — granular per-resource control within a subnet | Macro-segmentation — broad subnet-level control, useful as a perimeter defense layer |
Number of Rules SGs support more rules by default. NACLs have fewer rules but cover an entire subnet, so they scale differently. Check AWS quotas page for current adjustable limits. | Up to 60 inbound and 60 outbound rules per security group (default, adjustable) | Up to 20 inbound and 20 outbound rules per NACL (default, adjustable) |
Number per VPC / Association A subnet can only have ONE NACL. If you associate a new NACL to a subnet, the previous association is automatically removed. | Up to 2,500 security groups per VPC (default). Up to 5 SGs per ENI (default, adjustable) | Up to 200 NACLs per VPC (default). Each subnet can be associated with exactly ONE NACL at a time |
Ephemeral Port Handling CRITICAL exam trap: Forgetting ephemeral ports on NACL outbound rules is the #1 reason NACLs appear 'broken' in scenario questions. Linux uses 32768–60999, Windows uses 49152–65535 — AWS recommends allowing 1024–65535 to cover all clients. | Handled automatically due to stateful nature — no ephemeral port rules needed | Must explicitly allow ephemeral port range (1024–65535) in outbound rules for return traffic to clients |
Supports IPv6 Both support IPv6 but rules are NOT automatically mirrored. Adding an IPv4 allow rule does NOT create a corresponding IPv6 rule — you must add both explicitly. | Yes — IPv4 and IPv6 rules are configured separately within the same SG | Yes — IPv4 and IPv6 rules are configured separately within the same NACL |
Logging / Visibility VPC Flow Logs capture ACCEPTED and REJECTED traffic. For security auditing, Flow Logs are your visibility tool for both SGs and NACLs. NACL-rejected traffic appears as REJECT in Flow Logs. | Not directly logged, but VPC Flow Logs capture traffic at ENI level showing SG-affected traffic | Not directly logged, but VPC Flow Logs at subnet level capture NACL-rejected traffic |
Use Case: Block Specific IP Scenario: 'Block a known malicious IP from accessing your VPC' → ALWAYS use NACL. This is a definitive exam question pattern. | CANNOT block a specific IP — no DENY rules available | YES — add a DENY rule with the specific IP CIDR before any ALLOW rules |
Use Case: Allow Traffic Between Instances SG-to-SG referencing is a powerful feature: allow inbound from SG-WebTier to SG-AppTier without knowing any IP addresses. This is the recommended pattern for multi-tier architectures. | YES — reference another SG as a source/destination (no need to know IP addresses) | Requires CIDR ranges — cannot reference SGs or other NACLs |
Changes Take Effect Both apply changes immediately. However, because SGs are stateful, an existing allowed TCP connection remains open even if you remove the inbound rule mid-session. NACLs being stateless may drop existing sessions. | Immediately — existing connections are evaluated against updated rules | Immediately — but stateless nature means existing flows may be disrupted |
Association Flexibility SGs are reusable across resources. NACLs are reusable across subnets. Both support many-to-one relationships in their respective direction. | One SG can be applied to multiple ENIs across multiple instances/services | One NACL can be associated with multiple subnets, but one subnet has only one NACL |
Supported AWS Services NACLs protect everything in a subnet including resources that don't support SGs directly. SGs require the service to support ENI attachment. | EC2, RDS, ElastiCache, ELB, Lambda (VPC), ECS, EKS, OpenSearch, Redshift, and more ENI-attached services | Any resource within a VPC subnet — applies at network layer regardless of service type |
Pricing Both are free. Cost optimization questions will never suggest removing SGs or NACLs to save money. The cost consideration is operational complexity, not AWS billing. | No additional charge — included in VPC at no extra cost | No additional charge — included in VPC at no extra cost |
Summary
Security Groups are stateful, instance-level firewalls that support only ALLOW rules and automatically handle return traffic — ideal for micro-segmentation and service-to-service access control. NACLs are stateless, subnet-level firewalls that support both ALLOW and DENY rules and require explicit rules for return traffic — ideal for blocking specific IP ranges and providing a perimeter defense layer. Best practice is to use BOTH together: NACLs as the outer defense at subnet boundaries and Security Groups as the inner defense at the resource level.
🎯 Decision Tree
Need to BLOCK a specific IP/CIDR? → Use NACL (SGs cannot DENY). Need to allow traffic between two services without knowing IPs? → Use SG referencing. Traffic not returning to client? → Check NACL outbound ephemeral port rules (1024-65535). Need subnet-wide protection? → NACL. Need per-instance granular control? → SG. Defense-in-depth required? → Use BOTH. New custom NACL created and nothing works? → Remember custom NACLs deny ALL by default — add rules.
STATEFUL vs STATELESS is the master concept: Security Groups are stateful (return traffic automatic), NACLs are stateless (return traffic needs explicit outbound rule for ephemeral ports 1024-65535). If a scenario describes 'traffic going in but not coming back' and a NACL is involved, the answer is almost always 'add outbound rule for ephemeral ports.'
Only NACLs can BLOCK (DENY) specific IP addresses. Security Groups have no DENY capability — they only ALLOW. Any exam question asking you to 'block a malicious IP' or 'prevent a specific CIDR from accessing your subnet' requires a NACL solution, not a Security Group change.
Custom NACLs DENY ALL by default — the opposite of the default NACL which ALLOWS ALL. When a scenario says 'created a new NACL and associated it with a subnet, now nothing works,' the answer is that you need to add explicit ALLOW rules. This is a classic exam trap that catches unprepared candidates.
Security Group referencing (using another SG as source/destination) is the preferred pattern for multi-tier architectures. It eliminates IP address management and automatically adapts when instances scale. In exam scenarios involving auto-scaling or dynamic IP environments, SG-to-SG referencing is almost always the correct answer over CIDR-based rules.
Defense-in-depth questions will always use BOTH SGs and NACLs together. NACLs at the subnet level for broad IP blocking and perimeter control; SGs at the ENI level for granular service-to-service access. If an exam answer suggests using ONLY one of them for a security-sensitive workload, it is likely wrong.
VPC Flow Logs are the visibility layer for BOTH SGs and NACLs. They show ACCEPT and REJECT records. NACL-denied traffic appears as REJECT in Flow Logs. SG-denied traffic also appears as REJECT. This is the go-to answer for 'how do you audit or troubleshoot network traffic' questions involving either service.
For Internet Gateway, NAT Gateway, and Network Load Balancer integration: NACLs affect traffic at the subnet boundary BEFORE it reaches the resource. If you're blocking traffic to a public subnet with an NLB, the NACL on that subnet affects ALL traffic entering, including health checks. Forgetting to allow health check traffic in NACLs is a common architecture mistake tested on SAP-C02 and SCS-C02.
A single subnet can only be associated with ONE NACL (hard limit). However, one NACL can protect MULTIPLE subnets. This asymmetry is tested: you cannot apply two NACLs to one subnet, but you can share one NACL across many subnets for consistent policy enforcement.
The #1 exam trap: Forgetting that NACLs are STATELESS means return traffic requires explicit outbound rules for ephemeral ports (1024-65535). A scenario describes 'HTTP request reaches the server but response never arrives' with a custom NACL in place — the answer is always 'add an outbound NACL rule allowing TCP ports 1024-65535.' Candidates who memorize 'NACLs are stateless' without understanding the ephemeral port implication consistently choose wrong answers on NACL troubleshooting questions.
CertAI Tutor · CLF-C02, SAP-C02, SCS-C02, DEA-C01, DOP-C02 · 2026-02-22
Services
Comparisons
Guides & Patterns