NACLs vs Security Groups

When each.

Overview

Network ACLs vs Security Groups layers AWS network controls correctly. Both exist for a reason; the discipline is using SGs as the default stateful per-ENI firewall and NACLs as the subnet-level stateless backstop for IP-based blocks.

• When each. NACLs for subnet-level controls; SGs for ENI-level; the AWS network model assumes both layers active.
• Security Groups: stateful. Return traffic implicitly allowed; matches modern firewall behaviour and reduces rule count.
• NACLs: stateless. Per-direction explicit rules; matches IP-based blocking and DDoS response.
• NACLs number-ordered plus layered defence. Lower number wins on NACLs; both layers active produce real protection.

The approach

The practical approach: SGs as the default stateful firewall per ENI, NACLs for subnet-level IP blocking, both managed via IaC, documented per-VPC layering. The team’s discipline produces real protection instead of permissive defaults.

• SGs for default. Per-ENI stateful firewall; the modern AWS default for application-level network controls.
• NACLs for IP blocking. Subnet-level deny lists; the right tool for DDoS response and abuse blocking.
• Layered defence. Both layers active; SGs catch what NACLs allow, NACLs catch what SGs allow.
• Documented layering plus IaC managed. Per-VPC policy committed for operational reviews; Terraform-managed for audit and reproducibility.

Why this compounds

NACL/SG discipline compounds across VPCs. Each correct layering produces ongoing protection; the team’s networking expertise grows; new VPCs inherit the layering pattern from day one.

• Better security. Layered defence reduces blast radius; one misconfigured layer does not collapse the whole defence.
• Better incident response. NACLs support fast IP blocking; the abuse case has a deny tool that takes effect immediately.
• Better operational fit. Right layer for the use case; SG for application semantics, NACL for IP-based blocking.
• Institutional knowledge. Each rule teaches AWS networking; the team’s network security muscle grows.

NACL/SG discipline is an operational discipline that pays off across years. Nova AI Ops integrates with networking telemetry, surfaces patterns, and supports the team’s network security discipline.