Episode 106 — NACL vs NSG: stateless/stateful thinking and inbound/outbound logic
CloudNetX scenarios often include cloud filtering controls that sound similar but behave differently, and the exam expects you to reason about state, direction, and enforcement scope. This episode defines network ACLs as stateless filters applied at a subnet boundary, meaning inbound and outbound rules are evaluated independently and return traffic must be explicitly allowed. It defines network security groups as stateful filters applied to interfaces or resources, meaning return traffic is automatically allowed when a session is permitted. The first paragraph focuses on what this difference implies in design: NACLs are best treated as coarse guardrails that reduce broad exposure for entire subnets, while NSGs support more targeted policy at the workload level. It also explains why inbound and outbound logic must be read carefully in scenarios, because misapplied directionality is a common cause of “it should work but it doesn’t” outcomes.
