Which statement CORRECTLY describes the difference between a security group and a network ACL (NACL)?

1 / 1
Select an answer
CorrectA

Explanation

Question Overview

A question asking to select the correct description of the difference between a security group and a NACL.

Requirements to satisfy
  • 1difference between a security group and a network ACL (NACL)Distinguish by scope of application (instance/subnet) and state management (stateful/stateless)
Per-option explanation
ACorrect

A security group is stateful and applied at the instance level; a NACL is stateless and applied at the subnet level.

This is correct. A security group applies at the instance level and operates in a stateful manner, automatically allowing return traffic. A NACL applies at the subnet level and operates in a stateless manner, requiring explicit rules for return traffic, and it can also configure deny rules. The scope of application and state management are the main differences between the two.

BIncorrect

A security group is stateless and requires explicit allow rules for return traffic.

A security group is stateful, and return traffic for permitted connections is automatically allowed.

Requiring explicit rules for return traffic is a characteristic of the stateless NACL, not a security group. This description has the behavior reversed, so it is incorrect.

CIncorrect

A security group is applied at the subnet level; a NACL is applied at the instance level.

The description is reversed. A security group applies at the instance level; a NACL applies at the subnet level.

Because the scope of application is transposed, this is incorrect.

DIncorrect

A security group supports both allow and deny rules; a NACL supports only allow rules.

This reverses the rule specifications of both. A security group supports only allow rules and cannot write explicit deny rules. The ability to write both allow and deny rules is a feature of NACL.

Because the characteristics are swapped, this is incorrect.

Key Takeaway

SG = instance-level, stateful, allow rules only / NACL = subnet-level, stateless, allow + deny. Both are free to use. Understand the differences in application layer and state management.

Related Links