At companies like AWS, interviewers may ask you to compare two access-control mechanisms to test whether you understand layered network filtering and can reason about packet flow.
Explain the difference between a Security Group and a Network ACL. In your answer, cover:
Give a systems-oriented explanation rather than a cloud-certification definition dump. The interviewer expects you to compare behavior, discuss practical implications for debugging connectivity issues, and explain why these two controls are complementary rather than interchangeable. You do not need to memorize provider-specific limits, but you should be precise about packet filtering semantics and common misconceptions.
A Security Group is attached to an instance or network interface, so it acts close to the workload. A Network ACL is attached to a subnet, so it applies to all traffic entering or leaving that subnet.
Security Groups are stateful: if inbound traffic is allowed, the response is automatically allowed back out. Network ACLs are stateless: inbound and outbound rules are evaluated independently, so return traffic must be explicitly permitted.
Security Groups typically support allow rules only, with traffic denied by default if no rule matches. Network ACLs usually support ordered allow and deny rules, and the first matching rule determines the outcome.
Security Group rules are generally evaluated as a set, not by rule order, so any matching allow can permit traffic. Network ACLs are processed in rule-number order, which makes precedence and explicit denies important.
Security Groups are commonly used for workload-level access control such as allowing app servers to talk to databases. Network ACLs are often used as broader subnet guardrails, for example blocking a suspicious IP range before traffic reaches instances.