Security group and Network ACL

There are two main security features available for your Amazon VPC: network access control lists (network ACLs) and security groups.

Network ACLs

Network access control lists (network ACLs) are a type of security filter like a firewall that can filter traffic attempting to enter or leave a subnet. Network ACLs are attached at the subnet level, and by default, a network ACL is created for a default Amazon VPC and is associated with all subnets in your default Amazon VPC.

Network ACLs manage traffic entering or leaving a subnet because network ACLs are associated with the subnet, not with resources inside the subnet. Network ACLs only manage traffic that is crossing the subnet boundary.

If two Amazon EC2 instances in a subnet are communicating, network ACLs will have no involvement if the communication between the two instances does not cross the subnet boundary.

Security groups

Security groups are the other security feature of an Amazon VPC. Unlike network ACLs, security groups are attached to AWS resources, specifically the elastic network interfaces (ENIs), not Amazon VPC subnets.

Security groups offer a few advantages compared to network ACLs in that they can recognize AWS resources and filter based on them. Security groups can reference other security groups and also reference themselves.

However, security groups are not capable of explicitly blocking traffic. If you need to block a certain IP address or a block of IP addresses, you will require assistance from network ACLs.