NACL:
- Network Access Control List.
- Stateful - Return traffic must be explicitly defined.
- Rules for which subnets can go inbound and outbound.
- Firewall at the subnet level.
- Supports allow and deny rules.
Security Groups:
- Stateless - Return traffic is automatically allowed.
- Firewall at the instance level.
- Only supports allow rules.