| Feature | Security Group | Network ACL |
|---|---|---|
| Stateliness | Stateful - If an inbound traffic is allowed in, the outbound response to that traffic is allowed out automatically. |
Stateless - Means that responses to allowed inbound traffic are subject to the rules for outbound traffic (and vice versa). |
| Resources | Operates at Instance Level (EC2, RDS instances, ELB, EFS etc.) | Operates at Subnet level |
| Default behavior | By default, all inbound traffic is denied and all outbound traffic is allowed. | By default, Network ACLs allow all inbound and outbound traffic. |
| Rule Types | ALLOW only (& Implicit Deny) | Both ALLOW and DENY |
| Traffic Types | Both Inbound & Outbound. | Both Inbound & Outbound. |
| Pricing | Free | Free |
| Use Case | Allow or deny traffic that a NACL allows in. | Allow or Deny traffic before it reaches a Security Group. |