| Security Group | Network ACL |
|---|
| A security group is applied at an instance level. | Network ACL is applied at the subnet level. |
| Any change applied to the incoming rule is automatically applied to the outgoing rule. | Any change applied to the incoming rule is NOT automatically applied to the outgoing rule. |
| Security group supports allow rules only. | Network ACL supports allow and deny rules. |
| A security group evaluates all the rules before allowing the traffic. | Network ACL evaluates the rules from top to bottom and applies the first matching rule on the incoming/outgoing traffic. |
| A security group is applied to an instance only if the security group is explicitly applied to that instance. | Network ACL applies all the rules to the instance under that subnet. |