Network security, security groups and NACLs

A VPC has two firewall layers. Security groups guard each instance and are stateful, so return traffic is automatic. Network ACLs guard each subnet and are stateless, so both directions must be allowed explicitly. Knowing which does what, and the stateful-versus-stateless trap, is the goal.