What is the difference between Security Groups and Network ACLs?

Security Groups act as a virtual firewall at the instance level, are stateful (return traffic is automatically allowed), and only support allow rules. Network ACLs operate at the subnet level, are stateless (return traffic must be explicitly allowed), and support both allow and deny rules. Security Groups evaluate all rules before deciding; NACLs process rules in order.