Interview AWS

What is the difference between a Security Group and a Network ACL?

AWS · Basic level

Answer

Security Groups are stateful resource-level firewalls, while Network ACLs are stateless subnet-level firewalls. I use Security Groups for normal workload access control and NACLs for coarse subnet guardrails or explicit deny use cases.

Technical explanation

Security Groups support references to other groups, which is cleaner than IP-based rules for dynamic compute fleets.

In AWS networking, always separate placement, routing, and filtering: subnets place resources, route tables decide next hops, and SG/NACL rules filter traffic.

Design for failure domains by spreading public, private, and data subnets across multiple AZs and avoiding single-AZ dependencies where production availability matters.

Troubleshooting should follow packet flow: source, SG, NACL, route table, endpoint/NAT/IGW/TGW, destination SG, and service listener.

Hands-on example

1. Create a sandbox VPC with two AZs, public subnets, private subnets, route tables, IGW, NAT Gateway, security groups, and one VPC endpoint relevant to the topic.

2. Deploy a small test instance or pod in the correct subnet and validate routing with curl, traceroute where allowed, and VPC Flow Logs.

3. Change one control at a time - route, SG, NACL, endpoint policy, NAT, or TGW route - and observe exactly how connectivity changes.

4. Document the final production pattern as an architecture diagram plus a troubleshooting checklist.

Preparing for an interview?

Check how well your resume matches the role with our free resume checker— match score, ATS check, and the skills you're missing.

More AWS interview questions

← All AWS questions