Which statement correctly differentiates security groups and Network ACLs?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $9.99Unlock all

Study for the Cloud and Collaboration Systems Test. Use flashcards and multiple choice questions, each with hints and detailed explanations. Prepare for your exam with confidence!

Multiple Choice

Which statement correctly differentiates security groups and Network ACLs?

Explanation:
Security groups are stateful, instance-level firewalls; NACLs are stateless, subnet-level filters. This distinction matters because a security group attached to an instance tracks connections, so if inbound traffic is allowed, the return traffic is automatically allowed outbound as part of that same connection. They apply to the instance’s network interfaces, and you can assign multiple security groups to an instance for flexible permission sets. NACLs, by contrast, operate at the subnet boundary and apply to all traffic entering or leaving the subnet, with rules evaluated in order. Since they are stateless, you must explicitly permit both directions for a given flow, as responses aren’t auto-allowed. This difference in scope (instance vs subnet) and statefulness (stateful vs stateless) is what makes the stated differentiation correct. The other descriptions don’t fit because they swap where the filtering happens or misstate whether the filtering is stateful or stateless.

Security groups are stateful, instance-level firewalls; NACLs are stateless, subnet-level filters. This distinction matters because a security group attached to an instance tracks connections, so if inbound traffic is allowed, the return traffic is automatically allowed outbound as part of that same connection. They apply to the instance’s network interfaces, and you can assign multiple security groups to an instance for flexible permission sets. NACLs, by contrast, operate at the subnet boundary and apply to all traffic entering or leaving the subnet, with rules evaluated in order. Since they are stateless, you must explicitly permit both directions for a given flow, as responses aren’t auto-allowed. This difference in scope (instance vs subnet) and statefulness (stateful vs stateless) is what makes the stated differentiation correct. The other descriptions don’t fit because they swap where the filtering happens or misstate whether the filtering is stateful or stateless.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy