AWS Security Groups vs NACLs (2025): how traffic actually flows
Last updated: 20 Aug 2025
Short version: Use Security Groups (SGs) for almost everything. They’re stateful, attach to ENIs/instances, and scale cleanly. Keep NACLs simple or neutral; use them for coarse subnet-level controls or as a quick kill-switch.
What each thing does
| Property | Security Groups | NACLs |
|---|---|---|
| Scope | ENI/instance level | Subnet level |
| Stateful? | Yes (return traffic auto-allowed) | No (stateless; need rules both ways) |
| Rule order | No priority; all evaluated | Ordered; first match wins |
| Defaults | Inbound deny, outbound allow (typical) | Inbound/outbound allow unless you change |
| Use cases | Primary policy: who can talk to what | Subnet guardrail, blast-radius limit, emergency block |
Patterns that work
- Tiered SGs: web → app → db. Web SG allows 80/443 from ALB only; app SG allows from web SG; db SG allows from app SG on its port.
- Environment isolation: SGs reference SGs (not CIDRs) wherever possible. Easier to reason about than IP ranges.
- NACLs neutral: default-allow in both directions (or a minimal denylist). Let SGs do the heavy lifting.
When to use a NACL
- Emergency block at subnet edge (e.g., deny all to a compromised segment).
- Guardrail to prevent accidental exposure (e.g., deny 0.0.0.0/0 to DB subnets).
- Very specific compliance constraints at the subnet boundary.
Ephemeral ports: the common trap
NACLs are stateless, so return traffic needs ephemeral port ranges open. If you insist on restrictive NACLs, allow the appropriate ephemeral range (e.g., 1024–65535) on the return path. SGs don’t have this issue because they’re stateful.
Debugging “mystery drops”
- Check SG references (is the source SG correct?).
- Look at NACL order and hit counts; first-match can surprise you.
- Confirm routing (NAT/IGW/VGW) and that the flow stays within the expected subnets.
Security gaps in Linux and cloud systems risk downtime, data compromise, lost business — and compliance failures.
With 20+ years’ experience and active UK Security Check (SC) clearance, I harden Linux and cloud platforms for government, corporate, and academic sectors — ensuring secure, compliant, and resilient infrastructure.