AWS Services
Security Groups vs NACLs vs Route Tables
Compare AWS security groups, network ACLs, and route tables for VPC reachability, filtering, statefulness, subnet behavior, troubleshooting, and SAA-C03 exam traps.
After this, you will understand
This comparison gives learners a packet-tracing checklist for VPC questions: route first, then subnet guardrail, then resource firewall.
Route tables choose where traffic goes, NACLs allow or deny traffic at the subnet boundary, and security groups allow traffic to and from resources.
Learners troubleshoot every failed connection as a security group issue and forget routes, stateless NACL return traffic, or missing listeners.
Trace source, destination, route table, NACL, security group, application listener, and DNS before changing rules.
Think before readingWhich control decides where a packet should go next?
Reading in progress
This page is saved in your local study history so you can continue later.
Study path
Read these in order
Start with the mechanics, then move into the patterns that explain why the system is shaped this way.
Concepts Covered
- Route tables
- Security groups
- Network ACLs
- Stateful filtering
- Stateless filtering
- Route targets
- Subnet associations
- Resource-level firewalls
- Return traffic
- VPC troubleshooting traps
1. Plain-English Mental Model
Security groups, NACLs, and route tables answer three different questions.
A route table asks:
Where should this packet go next?
A network ACL asks:
Is this packet allowed to enter or leave this subnet?
A security group asks:
Is this packet allowed to reach or leave this resource?
The short model is:
route table = path decision
NACL = subnet-level stateless filter
security group = resource-level stateful filter
Most VPC troubleshooting gets easier when you stop mixing those jobs together.
2. Why This Service Exists
AWS VPC design separates reachability from filtering.
Route tables create possible paths to local VPC CIDRs, internet gateways, NAT gateways, Transit Gateways, VPC peering connections, VPNs, Direct Connect gateways, and VPC endpoints.
NACLs provide subnet-level allow and deny rules. They are useful for coarse guardrails and explicit deny patterns.
Security groups provide resource-level allow rules. They are the primary firewall control for EC2 instances, load balancers, RDS, interface endpoints, and many ENI-backed resources.
For SAA-C03, failed connectivity questions often contain clues like "no route", "subnet-level", "stateless", "stateful", "return traffic", "source security group", or "route to internet gateway."
3. The Naive Approach And Where It Breaks
The naive approach is to fix every connectivity issue by editing security groups.
That fails when there is no route to the destination. A security group cannot send internet traffic to an internet gateway. It cannot route private subnet traffic to NAT. It cannot route S3 traffic to a gateway endpoint.
Another naive approach is to lock down NACLs like detailed application firewalls. That often breaks return traffic because NACLs are stateless and evaluate inbound and outbound rules separately.
Another mistake is adding a route and assuming traffic is allowed. A route can make a path possible while NACLs, security groups, endpoint policies, IAM, or the application itself still block the request.
The right approach is packet tracing.
4. Core Primitives
A route table contains routes. Each route has a destination and a target.
Examples:
10.0.0.0/16 -> local
0.0.0.0/0 -> internet gateway
0.0.0.0/0 -> NAT gateway
10.20.0.0/16 -> Transit Gateway
S3 prefix list -> gateway endpoint
A subnet is associated with a route table. If there is no explicit association, it uses the main route table.
A security group has inbound and outbound allow rules. It is stateful. Return traffic for an allowed flow is automatically allowed.
A NACL has inbound and outbound allow or deny rules. It is stateless. Rules are evaluated in order by rule number. Return traffic needs rules too.
Security groups attach to resources or network interfaces. NACLs associate with subnets. Route tables associate with subnets or gateways depending on type.
5. Architecture Use Cases
Use route tables to define subnet behavior:
- public subnet routes internet-bound traffic to an internet gateway
- private subnet routes outbound internet-bound IPv4 traffic to a NAT gateway
- isolated subnet has no internet default route
- private subnet routes S3 traffic to an S3 gateway endpoint
- spoke VPC subnet routes shared network destinations to Transit Gateway
Use security groups to express application relationships:
- load balancer allows HTTPS from users
- app instances allow traffic from the load balancer security group
- database allows traffic from the app security group
- interface endpoint allows HTTPS from private workload security groups
Use NACLs for broad subnet guardrails:
- deny a known bad CIDR at subnet level
- enforce coarse subnet boundaries
- add defense in depth around public subnet exposure
Most application-tier access should live in security groups, not NACLs.
7. Security Model
Route tables are not firewalls, but they are security-relevant. If a route to the internet or another network does not exist, traffic cannot use that path. If an overly broad route exists, filtering controls must carry more burden.
Security groups are stateful allow-list controls. They do not support explicit deny rules. They can reference other security groups, which makes them excellent for tiered architectures.
NACLs are stateless allow/deny subnet controls. They can explicitly deny traffic, but they cannot reference security groups.
Neither security groups nor NACLs filter every special VPC path. AWS documents exceptions for traffic such as AmazonProvidedDNS and instance metadata paths. Use the right service for DNS filtering or metadata protection.
Layered security usually looks like:
route only required paths
use security groups for application access
use NACLs for coarse subnet guardrails
use IAM/resource policies for AWS API access
use dedicated firewall services for deeper inspection
8. Reliability And Resilience
Misconfigured route tables can create complete outages. A private subnet without a NAT route or endpoint route may lose required outbound access. A public subnet without an internet gateway route is not public.
Misconfigured NACLs can create one-way failures. A request may enter, but the response may be blocked because ephemeral return ports are not allowed.
Misconfigured security groups can create tier-specific failures. The load balancer may be reachable from users while the app instances reject load balancer traffic.
Route changes should be treated carefully in shared networking environments because one route table can affect many subnets.
Use VPC Reachability Analyzer, VPC Flow Logs, load balancer target health, DNS checks, and application logs to avoid guessing.
9. Performance And Scaling
Route tables do not add application processing, but route choices affect path length, cross-AZ traffic, NAT dependency, inspection latency, and data transfer cost.
Security groups and NACLs are managed VPC controls, but rule sprawl creates human performance problems. Too many broad or overlapping rules make troubleshooting slow.
NACL rule order matters at scale. Leave numbering gaps so you can insert rules later without rewriting the entire list.
Security group references scale better than CIDR lists for app tiers because the relationship follows the group, not individual IP addresses.
For endpoints, load balancers, and databases, remember that each resource may have its own security group boundary. Connectivity often fails at the most specific layer.
10. Cost Model
Route tables, security groups, and NACLs do not have direct hourly charges.
Wrong rules can create indirect costs:
- routing AWS service traffic through NAT when an endpoint would work
- forcing cross-AZ paths unnecessarily
- causing downtime through broken NACL return rules
- exposing resources and increasing security response cost
- overusing inspection appliances where simpler controls would work
Cost-aware VPC design is not just about service pricing. It is about choosing the shortest safe path that satisfies the requirement.
12. SAA-C03 Exam Signals
"No route to internet gateway" points to route table.
"Private instances need outbound internet access" points to route to NAT Gateway.
"Subnet-level stateless filtering" points to NACL.
"Allow and deny rules evaluated in order" points to NACL.
"Stateful firewall attached to EC2" points to security group.
"Allow traffic from the load balancer security group" points to security group.
"Return traffic automatically allowed" points to security group.
"Return traffic must be explicitly allowed" points to NACL.
13. Common Exam Traps
Do not troubleshoot routing problems only with security groups.
Do not forget that NACLs are stateless.
Do not add explicit deny rules to security groups. They only support allow rules.
Do not use subnet names to infer routing behavior. Inspect the route table.
Do not forget the application listener. VPC controls may allow traffic while the process is not listening.
Do not use NACLs as detailed per-instance policy. They apply to subnets.
Do not ignore AWS API authorization. Network reachability to an endpoint does not grant service permission.
15. Related Topics
Review Security Groups vs NACLs, VPC Networking Model, Public vs Private Subnets, and AWS Network Firewall.
Official AWS references:
What to study next
These links keep the session moving: read prerequisites first, then open the systems, concepts, and patterns that deepen this page.
Prerequisites
Read these first if the mechanics feel unfamiliar.
More Links
Additional references connected to this page.