[Network Access Control List & Security Group]

• It is a firewall which controls traffic from & to the subnet.
• ⭐⭐⭐ Can have ALLOW & DENY RULES
• They are attached at Network Subnet level.
• ⭐ Rules only include IP Addresses

• A firewall that controls traffic to and from an ENI/EC2 Instance
• ⭐⭐⭐ Can have only ALLOW rules (DENY BY DEFAULT!)
• Roles include IP Addresses and other security groups

• Operates at instance level
• Supports ALLOW rules only
• Is Stateful: return traffic is allowed automatically regardless of any rules.
• We evaluate all the rules before deciding wheather to allow traffic.
• Applies to an instance only if someone specifies the security group while launching an instance. or attaching security group with instance later on.

• Operates at subnet level
• Supports ALLOW & DENY rules
• Is Stateless: Return traffic must be explicitly allowed by rules.
• We process rules in number order.
• Automatically Applies to all instance in a subnet, its associated with, (you dont have to rely on users to specify security group)