Context

At companies like AWS, interviewers may ask you to compare two access-control mechanisms to test whether you understand layered network filtering and can reason about packet flow.

Question

Explain the difference between a Security Group and a Network ACL. In your answer, cover:

1. Where each one is applied in the network stack
2. How rules are evaluated, including allow/deny behavior
3. Whether each is stateful or stateless, and what that means for return traffic
4. When you would use one, the other, or both together

Scope Guidance

Give a systems-oriented explanation rather than a cloud-certification definition dump. The interviewer expects you to compare behavior, discuss practical implications for debugging connectivity issues, and explain why these two controls are complementary rather than interchangeable. You do not need to memorize provider-specific limits, but you should be precise about packet filtering semantics and common misconceptions.