Security Groups and Network ACLs

Get an overview of Security Groups and Network ACLs.

Security groups

Security groups act as a firewall at the instance level. Specifically, security groups operate at the network interface level.


  • We can only assign permit rules in a security group; we cannot assign deny rules.
  • There is an implicit deny rule at the end of a security group.
  • All rules are evaluated until a permit is encountered or continues until the implicit deny.
  • A security group can control both ingress and egress traffic.
    • By default, custom security groups do not have inbound allow rules (all inbound traffic is denied by default).
    • By default, default security groups have inbound allow rules (allowing traffic from within the group).
    • All outbound traffic is allowed by default in both custom and default security groups.


  • Security groups are stateful.
  • You can use security group names as the source or destination in other security groups. You can also use the security group name as a source in its own inbound rules.
  • Security group members can be within any AZ or subnet within the VPC. Security group membership can be changed whilst instances are running.
  • Up to 5 security groups can be added per EC2 instance interface. There is no limit on the number of EC2 instances within a security group.
  • Any changes made will take effect immediately.


  • You cannot block specific IP addresses using security groups; use NACLs instead.

  • You cannot delete the security group that is created by default within a VPC.

Level up your interview prep. Join Educative to access 70+ hands-on prep courses.