Two firewalls act on a packet inside a VPC, one after the other: the NACL (Network ACL) at the subnet boundary, and the Security Group at the instance (more precisely, the ENI) boundary. These two look similar but work in fundamentally different ways, and that difference is the point that shows up most often on the exam. The difference between the two firewalls ultimately comes down to three axes — stateful vs stateless, role-based vs network-based, and whitelist-only vs blacklist-capable — and these three axes are also the basic taxonomy of all firewall design.
Today we cover the real difference between SG and NACL, and VPC Flow Logs, which let you retroactively analyze what happened on top of them