Hi @bcagrawal Security groups apply at the instance level. So you can have a subnet with multiple instances and each instance can have a different security group with different ports allowed. the NACL applies at the subnet level. So you would have to allow all ports necessary for all of the instances within a subnet, but you can then allow only the specific ports necessary for each instance by assigning different security groups to instances that need different traffic allowed.
The main valid use case I’ve seen for ACLs is: I have a private subnet housing my application servers and databases, I only want to allow the subnets where my bastion hosts and web servers reside talk to the resources in those private subnets. Instead of including rules in all those security groups (https://www.buyassignmentservice.com/pay-to-do-my-homework) I can make an ACL rule and open my security groups wide enough to be stateless.